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SpLd.erWorks eBooks 


David Hill's step-by-step Learn C the easy way with 
guide to game devetopment Dave Mark, updated and 
with complete source code expanded for Mac OS X 
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AppleScript techniques 
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Quality content from respected authors at a great price 

Optimized for easy on-screen reading, yet perfect for printing, SpiderWorks eBooks 
are uniquely formatted and hyperlinked for fast access and quick learning. 



For more information and to order online, visit 
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Need to find something fast? 


c-t;ree Plus* 

embedded database engine 
offers Superior Indexing 
Technofogy - the key to 
performance > data integrity, and 
concurrency, c-tree Plus offers 
direct record-oriented C and 
APIs with an industry-standard 
SQL interface that allows use of 
any combination of APIs within 
the same application. 
Furthermore, we offer source 
code access for intimate 
programming control, unmatched 
portability, and devetoper-to- 
developer technical support. 

Heterogeneous Environments 

C'tree Plus and c-treeSQL“ 
Servers are the perfect solution 
for your mixed platform 
environments. Mac servers to 
Windows cJrents? No problem, 
Linux Servers to Mac clients? No 
problem, c-tree has a long history 
of cross-platform development 
solutions. Byte incompatibility 
between platforms is handled 
seamlessly with our Uniformat 
data handling technology. 

Low TCO 

c-tfee is priced affordably, 
requires minimal hardware 
resources, and needs no IT staff 
for maintenance. If Total Cost of 
Ownership (TOO) is important to 
you. c-tree is the perfect 
database. 

Easy Deployment 

c-tree Servers are designed for 
ease of use and deployment as 
well. Out of the box, our servers 
can be installed and running in 
minutes. 

Start Indexing your data today! 
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What’s New In 
This Issue? 

Two new columns for your reading pleasure! 


Welcome to another great, month of the New MacTech! We 
are excited about all we have to share with you this month. So 
without further ado... 

This month marks the first installments of Dean Shavit 
and FM Marczak’s new columns. Dean will be bringing you 
"The Source Hound", bis exploration of all things Open Source. 
This month check out “Betting on The Dark Horse”, Dean’s 
exploration of the origins and evolution of the Open Source 
movement. Kd’s column, “Mac in The Shell"kicks-off this month 
with “The Terminal: Why?", an informative and fun treatise on 
how ALL Mac users can gel more out of the Terminal. We are 
very excited Ed and Dean will he contributing their extensive 
knowledge and outstanding uriting skills to our readers. 

This month’s issue is bursting at the seems with more 
great stuff for you. Our focus this month is on the ever- 
important issue of security. Our cover story is an extensive 
piece from Faul Day on locking down your Mac to keep 
your data safe from prying eyes as well as from people who 
mean to do us harm if they can get their grubbing hands 
on our machines. Read Paul’s Cover Story and your data 
will be safer. We promise! 

In keeping with our C(ymmitment to provide the finest in 
coverage of issues for both our developer and sysadmin 
readers, we have another great Getting Started column from 
Editor-In-Chief Dave Mark. This month Dave shares his very 
positive impressions of the latest version of BHEdit, and puts 
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Fvovn FUe E^AlFovs... 

CoviHhue^A 

the evolution of this valiuible tool into some historical context. 
You’ll really enjoy thispiecelAlso on tap this month is another 
great piece from regular contributor Paul Ammann. This time 
around Paul gims us a primer on using regular expressions, 
and then digs in and introduces us to a great open source API, 
Jakarta-OKO. We have a fun and educational piece fromAugi 4 st 
Trotneter on /mdcasting, a really informalim introduction to 
Kerberos from columnist John Welch, another great piece from 
AppleScript guru Ben Waldie, our resident QuickTime god, Tim 
Monroe, gives us Part 2 of his piece on developing command¬ 
line QuickTime tools, and as always our popidar KoolToots 
section from Reviews Editor Michael Harvey. 

Some time ago we asked our Publisher, Neil Ticktin, to 
quickly summarize our editorial policy. NeiTs answer was, 
“"anything geeks will find interesting/”. In keeping with NeiTs 
very specific and narrowly defined direction, this month we 
are featuring a piece that’s a little out of the mainstream for 
us. Ceorge Reis, a veteran photographic forensics expert with 
an extensive career in helping law enforcement catch the bad 
guys, has contributed a piece we really loved reading, (hey, 
we’re geeks, so this conforms to NeiTs policy!) The piece is 
entitled “Imaging Forensics - An Overview”. George really 
knows his stuff and we really enjoyml reading about the 
application of Mac based tools to this important a rea. 

This month also marks the last installment of our very 
popular software marketing series from Dave Witoldridge. 
This month Dave tells us how RSS news broadcasts can be 
a more effective tool than e-mail. While Dave has decided 
he just doesn’t have the time to devote to a monthly 
column, he will still be contributing when the mood strikes 
and his schedule allows. We look forward to seeing much 
more great stuff from Dave! 

Well, that’s it for this motith.As always, we look forward to 
your feedback on what we’re doing for you. Please send your 
thoughts to editorial@mactech.com. 

Enjoy! 
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by KicUi?\£l R, H<?\\rvey - Reviews 

Your magazine 

NEEDS YOU 

Product reviews are a [>ig part of what we do liere al MacTech. In 
almost every article we publish, there’s at least a little review in there. 
Finding the best tools, programs, utilities, and fun gadgets, even the 
occasional really cool game, and telling you all alxuii why you have to 
have them now is my job. It’s quite a bit of work. For quite a few of the 
product categories we concentrate on, it's more than 1 can handle. So, I 
don’t do it all (don’t tell my kid tlxiL, fte tliinks 1 know everything). 

On those occasions when 1 must how to the realization that 1 am not 
n+l (and it’s taken a lot of therapy for me to be able to admit that), I go 
looking for someone who knt>ws the product well. 1 hug our regular 
contributors, people I know, people they know, people whc^ know people 
Fve known hut haven’t spoken to since that incident at the club; Pve even 
resorted to accosting random .strangers on the street (I am prohxibly listed 
in mtjre email spam filters limn Sanford Wallace at this point). Often, one 
of these sources will get me a good writer, but not always. With everyone 
I know, with everyone they know, we still don’t have nearly enough of that 
n+1 expertise out in the world available to us to provide the best reviews 
of everything we want to sliow you in MacTech. 

'I'hat’s only half the problem. Setting aside the issue of finding a good 
writer for the moment, there’s another area we don’t cover in Mac’fech. All 
the siulT we don’t find out al>oui. It’s a big world, and we operate, and 
report on, a large and growing industry. Companies and individuals are, 
a daily basis, putting out new products, new widgets, and plugdns, and 
add-ons, and The Next Big Things. And, I have no doubt whatsoever we 
miss some of them. But you all don't. There are Loo many of you readers 
out there, way more than there are of us staff, For you to miss much. Why 
aren't you tellirig us al>out all these cool things? Hmm? 

Come on, you know your ego is just itching to lie pumped up. To be 
a published author, admired by men, adored by women (or wliatever order 
you want to put that in). Well, it is pretty cool to see your name in the 
l>yhne there. And yr)u can always pul it on your resume. 

You’ve read the myriad of articles and reviews written [)y our staff, 
columnists, contributing editors, and guest authors. Articles by Tim 
Mcinroe, Schoun Regan, Chris Kiibourn, John Welch, and Dave Mark ro 
name a few, I know you know sometlung they don’t know. 1 ju.st know it. 
,Share the wealth with the rest of us. If you have a product you know 
about, if there’s a tool you use everyday to get the job done, if there’s that 
one utility, IDE, app, CFM, thing, wliatever, you’d k)ve to get your hands 
on and really put through it’s paces, let me know, and we’ll see what we 
can do to put your knowledge in the hands of many many thousands of 
MacTech readers, making them smarter, and you their hero (at least for one 
issue)* Email me at rcviews^maeteehx'om. 


Mcaai 

CewMUnicrtfe WlVk Us 


PEPARTmEht E-M«lls 

Orders, Circubilion, & 
Customer Service 
cirst„scrvicc@ mactech .com 

Press Releases 
press_release.s@ mactech. com 

Ad Sales 

at isa I e.s@ n lactech .com 

Editorial 

edi tori a I ^f^mactech. com 

Online Support 

on I i ne@ tn a t tech. com 

Accounting 

accou nting @ mactec h .com 

Marketing 

m a rket ing@ mactech. com 
General 

info@macicch. com 

Web Site 

luip://www.aiacicchxum 


In this electronic age, the art of 
communication has become both 
easier and more complicated. I.s it 
any surprise that we prefer e-mail? 

If you have any questions, feel free to 
call us at 805/49^-9797 or fax us at 
805/494^9798. 

If you would like a subscription or 
need customer service, feel free to 
contact MacTech Magazine Customer 
Servit'e at S77-MACTECH 


We love to hear fn)m you! 

Please feel free to comact us with 
any suggestions or questions at 
any time. 

Write to Ietters@inactech.com 
o r editc) rial# mactech. co m as 
appropriate. 
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GETTING STARTED • by Dave Mark 


B BEdit: Som e how, 

It Still Doesn’t Suck! 


I recently upgmdcd to liBEdit 8, and 
ihotight il might be worth sf)endmg some 
lime exploring BBHdit - the old, the new, 
and even an interesting, yet secret, ntx>k and 
cranny or two. liefore we gel started, take a 
minute to download die EiBEdii demo, if you 
don't already have it iastalled, of course. 
Kerens the URL: 

http://wvwv.barebones.com/product5/bbedit/ 

demo.shtml 

Multi-File Search 

RBKdil LO ftrsi sliipixd as freeware 
liack in 199L One of its most notable 
features was multi-file sejirch and replace, 
one of the first applicatioas to olTer tliLs. Over 
ihc years, 13l3Edifs multi-file search has 
evolved into an incredibly powertiil Uk) 1, one 
that I find has uses far Ixyond BBEdifs 
environment. Here’s an example. 

Ltunch BBHdiu If it doesn’t 
automatically create a new, untitled 
doaimenu create one youiseif or open your 
favorite text file. 

Now select fUid... from the Search 
menu. A dialog like die one shown in Figure 
1 will apixxtr. Enter some text to search for. 
In my case, 1 v^^nted to find st>me source 
code that worked with the 
lOBlueUxilhDcvice class. 

At die bottom of die dialog, I checked 
die Multi-Hle Search checklxix. Tliis caused 


the SoURX"s drawer to tuxm off tlie left side of the window. Tliere 
are several ways to popukite this window. You am open a Finder 
window, select a folder that you'd like to search, and drag it into 
the Sources dr^iwer. Anodicr way Ls to dick on die Other ... btnton 
in the lx>lLom-right of die wintlow, then choase the folder you’d 
like added to your search list. 

As you can see, you can even add a web site to your search 
list (km this feature). In addition. BBEdit auiomatiaijly biiilds a list 
of your leccni folders. 



Of - jdewiQiNr K 

» U Ttal piKtrfhcidj 

3 (WEdn 

tiunt FdMwi 
_ - / 

Z ' * 

» WtD iHn 



Fiiul« ^ . 

Fflt 


jwiiiif.miTniiTm-nv.- 

/mr’OT 

^ WiHit AftnrMl 

i 4 <i:w*nU 


Z ScfltKivs 

VVifK ^ 

ZMtWhtflUfeWenfj 

0 Multi-UteSe«FClT 

SAVttf $Oi 


OncfAlAer 




Figurr /. Multi-file Searrh. 


Once you are liappy with your searc h setup, ciick die Find 
All huiton, BBEdit will laiincii a ibread for eacli sjxcified directory 
ancl will rettim conuol to you. Each search is recursive wiih 
respcx.1 to the diieciory. Figure 2 shows my s^rch, in progress, as 
it searches the Developer/Examples directory. UBEdi! will 
recursively search each file in die dircxiory, scanning its contenLs 
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A A long time ago, in a galaxy far, far away, a guy named Rich 
Siegel released a nice little piece of freeware named BBEdit. 
Released back in 1991, BBEdit was designed to edit text files and, 
as its famous marketing campaign tmmpeted, it didn’t suck. Over 
the years, we’ve seen a ton of software packages come and go, or become 
bloated with unnecessary features just to keep the update fairy happy. 
Somehow, BBEdit has kept its trim, unsucky figure, yet still managed to 
shoehorn in an amazing number of extremely useful features. 


for the string 10Bluetcx)LhIX*vicc* 

When I tcxik the screeashot in Figure 2, BBEdit hiid found 21 
fxxiirrence^; of tlie string. IF I had clicked the Slop button, BBEdit 
would have presented me with a list of the 21 oecurrenccfi it liad 
found so far. 

0- O 5 . P rogress ■ , 

Searching “AppearanceSample Matn.cp*... 

( Stop ) 

21 occurrences found 

Figure 2. A Search in progress. 











A LItJ L-n uJU ^ Fita Pin*r ;ntwtap*r;i 


;Dtwtvp«r;ElinqpEn/Blu«t 


tFAlt ■ 4 tA>tilF<TvTa«Ct[riS£tr <ng 9tr Ln^l1ldtr'<hg^i''^%i^4r<i4. .Vn** ||| 

rj Ci'WtV F^f, wvm 9at fi'oa thA 

wOGEXSoniOn * 11 »lMto0thnD(£4«f i on *p fl I WUdrau: bd*v I 

[iPiht 9iir kiiqyt'ttiF<nat;9'’F'ii> trt^ 1.9^1! OxiheSn'^,'' 


Figure 3. Working with the search results. 


Each search builds a lust of results llmt you can work witli. 
Figure 3 shows die resulLs of my a^rch for IQBluetoothDevice, 
‘Ihere were 21 occurrences. As you might expea, the search 
window oigani^es the search resulLs by file. Click on a result in tlic 
upper pane of the search results window and the appropriate file 
contents are scrolled into view in die Ixittom pane with the search 
string highlighted. 

Want to edit the file? Click on the result and click the 
Open button Cupper right corner of the search results 
window) or double-click on the result and the file will open 
ft>r editing in BBEdit. 


C)i*ti:NiNG Remote Files 

Ever have to logon to an FTP site, just to edit a single file? 
Typically, you’ll fire up your FTl^ client, download the hie in 
question, edit tlie file, save it, then go back to your FTP client 
and upload the file again. If the file is part of a web site, you 
migfii ret>caL this cycle a number of times till you get things 
looking just right! 

BBEdit offers the ability to open and edit remote files via FTP 
and SFFR Tills mc'ans you can open, edit, and save the file, all 
wiliiout leaving BBEdit. And once youVe opened the file 
remotely, you can edit, save, test, edit, save, Lest, all wiiliouL 
leaving f^BEdit. 

Here's an example. In BBEdit, selea Open from flF/SFIP 
Serifer... from the File menu. When the open dialog appears, type 


MACOM 


GmiNG Started 9 































in your favorite FIT server info- For anonymous FIT, Leave the 
User Name and Password fields l:>lank- 

In my session, T connecled Lo Apf)le’s FTP server using the 
server name ftp.apple.com and anonymous FfP. To login, I 
pressed the Connect button. When the list of files at ftp.applexom 
appeared, I double-crlickecl the develofxj tlireci.ory, then .selected 
one of the txt files m die directory and clicked die Open button 
(see Figure 4). llie selected document opened in BBEdit. Jismce this 
particular FTP site dtx^ not give write permis,sion to anonymous 
FT'P, I was not able to save clianges 1 made to ifie dexurnent, but 
if 1 did have the right permissions, I could have edited the doc and 
selected Save to save the changed doc back on llie server 


frfttrt FTP^SITP Sfliygr 


Rendezvous: ^ 


:ftp.apple:.coni 



^ Paiiive FTP 

User Niame: 

I 

1 

PisswoixL 



Q REmember Pas sward 
_ Ajuio'Cornier 


f OiiECinnect ^ 


3 
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Tec:^raLnocuiiMni 3 tii 7 fl 
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□ Show Files Stardbg with 
0 Show Documerir Icons 




Delt 


Figure 4. Opening a remote file 
from Apple *s FTP server 


AtpleScrifi’ 

BBEdit is one of the most studly AppleScript apps in 
existence. To give you a sense of this, Apple uses BBEdit to test 
new versions of the Apple Event Manager. BBEdit is recordable, 
meaning you can use tools like the Script (klitor to record a 
sequence of BBEdit events as an AppleScript. BBEdit is 
scriptalile, meaning you can write scrifiis that make use of 
BBEdifs object model to access and control any BBEdit objects. 
Finally, BBEdit is attacliable, which means you can add scripts to 
the application itself. 

To truly see this magnificent studliness for yourself, launch 
Script Editor and selea Open Dicrionary... from the File menu. 
When prompted, douhlexlick on the BBEdit eniry in the app 
list (see Eigure 5). 


ppeR pictionary 


Select Items to open their chetionartes: 



r; r '.:; . Kind 


^ Adobe InugeReady C5 

■ ^ Adobe Photoshop 7.il 
^ Adobe Photoshop 7.0 

Api^lication 

Classic AppliEaliDi} 
Application 

’ iff Adobe Photoshop CS 

Appltcaiion 

5 ! 

j (C? Adobe Uffllt Types 

scripting addition 


1 Aaol 

Application 




1 

Camino 

Application 


^ Carbon, topfy Clonrr 

Application 


■§3 ctipZfif 

Classic Application 

;Ti 




XSLj 


SfQWse... ^ 


C Caned ^ 


Figure 5. Opening BBEdifs 
AppleScript dictionary. 


Ordinarily, 1 would take the time to step through the 
dictionary, pointing out specific examples along with some 
interesting scripts. But the dictionary is s<i flipping big! And 
lovely! Open the dictionary in Script Editor and take a look 
for yourself. 

An( idler way to explore BREdii’.s ApplefkTipUness is to 
launch BBEdit and select Ojxai Scripts Folder (or just open 
BBEdir's BBEdit Suppon folder, Sexipts subfolder). Ojxm the 
sample .st:ripts in Sc:ripi Editor and play with them. 


BBEdit Command Line Tool 

Wiien you run BBEdit for the first time, you are asked if you’d 
like to install the BBEdit command line tool. You definitely want 
to do this. Ibe BBEdit command line tool is a Unix binary that 
passes data passed to it on to BBEdit. A few examples will hel]> 
make this clear. 

Launch I'erminal. I'ype this a’lmmand: 
bbedit Aiiir/include/sys* .h 

Tile BBEdit command line tool will latmcii BBEdit and open 
tlie flies syslog.h and sysexils.h. For folks tliat are used to using text 
editors like vi and emac'S will be delighted to hive this ptwerful 
alternaiive Lo edit their Unix files. To take ihis one step furthcT, 
caiiac's fa as can go to the liBBdit menu, cfioose Preferences, select 
the Editing:Keytx>ard pane, then check the Use Ermes Key 
Bindings checkbox. 

Here’s another example Type this command: 

Is -1 I bbedlt 

This a>mmand will do a long listing of die contents of die 
current directory, then use the Unix pipe tool (|) to send the 
results of that command to a BBEdit window. Beautiful! 
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Now Iry tills one: 

Han bbedit | bb^lt 

Tlois wQl brin^' up ihc man^page for the bbeclit comtmnd line 
tool in a BBEdlt window, Wortli a quick read, just to see what else 
you cin do. 


HTML Markup Tools 

By fai; one of the mcxst common uses for BBhdit is lo create 
and edit Kl'ML. BiiBdit Ls a great text editor, and youVe probably 
seen the various meniLs that [ei you autoimtically constnic'i and 
iasert the various HTML lags in your dtxriment. YouVe probably 
also seen BBHdit's color ctKling of tliose same tags. Rut them’s a 
bit more to the picture. 

Start [)y selecting New H'FML Dooiment.., from the File 
menu. A form appears Litat IcLs you specify a numlTer of defaults 
for your dcxaintent. Figure 6 sJiows a fonn 1 Med out to create 
my sample HTOL dtxL 


You should be able to follow along and see the connection 
[■letween tlie various elemenLs in the form and the actual lO'ML 
code that was generated. 

Now find a picture on your hard drive soinewhcfe and drag 
its icon onto tlie BBFdit window, prefentbly lieiween the <body> 
and </body> tags. The dialog shown in Figure 7 will appear. Fill 
it in as you like, then click tlie Iasert button. 
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_HTML Document^_ 

Insert XML Detlaretton 
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Title: Dave’s BBEdtt Demo 
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Base: 
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Cancel ^ 

Figure 6. Creating a new HTML document 


Once I clicked OK, a new editing window appeared, 
conmining this ITTML; 

<rD0CrY?E HTML PUBLIC "-//W3C//DT0 HTOIe 4,0l//KN’’ 

“http: //>Jwvi.w3,org/TR/htiitl4/strlct pdtd“> 

<htiil laDg="en''> 

<head> 

ht.t p equi v=* c ont ent * type ” content^' text / html * 
charsetmtf S'*) 

<title>Dave’fl BBEdit BemoC/title) 

<nieta narae^'generator” content^“BBEdit 8.0“> 

</head> 

<body> 

(/body) 


Figure 7, Editing the <img> tag from a drag- 
and-drop operatiorL 

Here’s the <img> tag that was created from the dialog in 
Figure 7; 

<lmg src="flie;//localhost/Userfi/davemark/tte^ktop/fur.jpg“ 
flIt^*Pict\ire of Fur“ vldth=“ 1600 ** heighr-“l 0 ?. 4 "> 

Now for the iCK)lesr part. Click on die Markup nienu and select 
Preview in BBEdiL A new window wilt open previewing the i rLML 
you just created. BBEdit also allows you to pievlew in any browser 
y<xi have installed on your hard drive. With this Preview cap£il>ility, 
you am make changes to yrxir ITTMl^ preview il to see how it lays 
out, dien edit and save and preview ag^un. 

If youVe got modules tike FHP insUtllcxi on your kxral 
madiiiie, youll want to go lo the BBEdit menu, choose 
Preferences, dien selecT die HTML Wd> Sites pane. Double-click on 
the Untitled Site and edit the dialog shown in Figure B. 



Figure & Creating an HTML Web Site in the 
BBEdit Preferences. 
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l^'iU in the fields that clescTifxr the wcf) site you are editing. If 
you are serving off your ItK'al machine, be sure to check the Use 
Local L^m/iew Server checkbox. If it works on your kx'al macfiioc, 
1313Edit will take advantage of it. Serving pages Icxjally means you 
don't liave to edit and save files over tlie network. You can debug 
your entire site using BBIklit for editing and for preview, tf you 
play with add-on modules like l^HP and mySQL and yt^Ve not 
set up your own Mac as a kx-al server, you should absolutely 
explore this option, A huge time saven 


You ran close individual docs by clicking on the x to the right of 
the appropriate doc name in the drawer. 

You can also move betwetm dcxunients in a .set iDy selecting 
the doc from the droj>’dt>wn menu in the status bar, just below the 
ict)n Ixir in tlie main editing window or by clicking ihe left or riglit 
anows in the mivigation bar to move up or dt>wn die doc list. 

Text Faciorv 


The Doc Window 

When you open multiple ckxiimenis in Word, you get an 
individual window for each open dcKument, When you open 
multiple d(x:uinLmLs in BBCdit, the dtxnimenis are all listed in a 
drawer on the right side of the main editing window. Figure 9 
shows an editing session witli the dcx:uments drawer open, listing 
all the files currently ofx:n in BBEdit. 


One of my favorite features in BBEdit Ls the Text Paciory, Text 
Factory? You1l .see. Go to the file menu, seled New, llien Text 
Factory from the submenu. An unuileU facttiry window will 
ap]>ear (see Figure 10), 
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Figure 9. The documenl drawer 


Notice tliat the name of the current I y txliled doaunent is 
in bold in the dociimenLs drawer Tlie diamond next to a dtx 
indicates that it has not yet lx?en saved. You can drag doaiments 
into and out of the documeriLs drxtwer. If you kxik clostJy at Figure 
9, you1l see that the dex: fxjing edited Is a ixlf. I dnigged the pdf 
file fn)m tile desktop into tile doomients drawer and the pdf axle 
apfxrared in the editing window. Pretty inlenesting sluff. 

Drag a ,jpg file onto the drawer and BBFdit will ofien a new 
window containing the image. Note that in this case, the >jpg 
apjx^ars in its own unique window and not as jxiil of tlic 
dcxiJmeats drawer's ‘'ser”. Drag a text dtx^ (even an iitml, .rtf or 
.pdf, anything text-based) onto tlie doc^ and the doaiment is 
added to the set. 

Note the action poptip menu in the upper-left comer of tlie 
dfxaiments drawer You can use diis menu to create a new, empty 
d(x:, ckxse the airrent doc, or open the current doc in a new 
window, thus creating a new doc set. You can even drag docs 
Ix^tween doc drawers, moving ckKumcnLs Ixrtween sets. 

You tan open and close ilie doc drawer by clicking t>n ihe 
drawer icon in the upper-right corner of tlie main editing windt^w. 


Owfigg Case _ 9 ( Optiofi>.. j - ‘"J. 
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Figure 10. A new, untitkd Text Factory. 


Your gcxil liere Is to build a .set of niles that yt>u can then 
apply to tlocumenfs text. For example, in tlie default 'fext Factory 
in Figure 10, the Change Case operation is selected. Obviously^ 
we’ll use this operation to change the case in a cIcxurncnFs text. If 
you click the O/j/irim. .. butltin to the right of this operation, you 
can set the specific Change Ciise options. As you can see in Figitre 
11, we’ll set tfie specified text to ALL DPPKK CASK. 


0 




Change Cast: 


uniitled ractory 


@ ALL UPPER CASE 
d C lower cast 

Utc 


O Capitalize Words 
C Capitalize sentences. 
0 Capitalize lines 


( Cancel ^ 




Figure IL This pane appears when you click the 
Options... button for the Cluinge Case rule. 


Click die + button to add a new operation, - to delete die 
cun‘eni operation. Figua* 12 shtiws the list of o[x.TatiDns you can 
chuase from. 
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✓ Change Case 


Convert to ASCII 
Educate Quotes 
Straighten Quotes 
Add/Remove Line Numbers 
Prefix/Suffix Lines 
Sort Lines 

Process Duplicate Lines 

Process Lines Containing 

Zap Gremlins 

Normalize Line Endings 

Entab 

Detab 

Replace AM 

Change Line Endings 

Change Text Encoding 

Run AppleScript Filter 

Run Unix Filter 

Figure 12. The list of Text Fac tory operation.s. 

Once you arc lui|J()y with your Tcxl Fadory, you ran click the 
Ch(X)se... button at the top of the wincfow to .select files on which 
to operate anil click the Optioas... button to ciustomize the search, 
tlicn click tile Apply btitton. 

Alternatively, you can .save your Text Factory (just as you 
woulil any other clixtimeni) as a file on your hanJ drive. Once 
.savesi, click in the liix' you want to change and seted Apply Text 


Factory... from the Text menti. When prompted, choose the saved 
factory and it's operations will lx; applied. 

Till Next Month... 

'I'here is just so much to write iilx>ut, I coyltl go (sn forever 
Pro[>lem is, Tve alne;idy Wiiy overstepped my page lijmi. Sorry 
folks, got curried away. Rui Ix^fore I go, here are a pair Df quick 
secants that I tliiiik you1l enjoy. 

I Imtl the first one increclibly useful Pick a doc^ lo edit, then 
liold down ifie option key. Tlie cursor shtnild turn intt) a plus sign. 
Click and drag and ISBEdii will ereate a rechmgiilar stilection. "I'ry 
it, youll like it. 

To access the stx:ond secret, select About IMiEdit Imm tfie 
!3BEdit menu. Wail a few setxmds. Tlie about box will start to 
stroll. If yt)u don't want to wait and you have a scroll wheel 
iiitjuse, you cun scroll the alx>ul box by liand. 

But that’s not really liie set reL Hold down the command ke)^ 
and click on the about window's title. Qx)!! IPs a very secret menu. 
Select eat:h of“ the items and enjoy. See you next month! © 

:At 



About The Author 

Dave Mark » a kmg-tiate Mac devdoper and oolim 
and has wriitea a aumber of books on ModhrosA 
devdopmenl, mMng team C oa the Madatodi, 
(earn C** an the Maemtosk and Jbe Maemfosh 
Programme Primer series. 

Dave's been busy lately loekiag up his next 
coneoctioa. Want a peek? ht^//www.spklerworks.fm. 


What*s under hood? 


High-performance inventions are driven by powerful engines. 
That’s why OpenBase SQL balances performance with real 
fault-tolerance—and the horse-power today’s multi-user 
applications need. 




Find out how OpenBase SQL stacks up against other 
databases at http : // www.openbase.com/ databas es.pdf 


OpenForms'^" database GUI building application 
available soon for OpenBase SQL! 







Test-drive OpenBase SQL 






with a free, single-user developer license 




, : 


What will you build with OpenBase? 

www.openba$e,com/tes tdrive 


^ oeuitiAit 




**OpenBase altowed us 
to quit worrying about 
the database so we could 
focus on our business.** 


}osh Paul Overhyped Technologies, 

creator of software that stores 
filrr} dips for Reality TV shows, j 
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NEW TECHNOLOGY 

Podcasting 101 


How to create your own 


podcast 


By August Trometer 


LIVING THE DREAM 

OK, 1 admit it: iVe always w;inted my own radio s!tow. You 
know, a show where ! aHild talk alxxit the things tliat interest me, 
play tlic songs liiat 1 like, and interview fascinating people. 'Hie 
unfortunate trutli is iliat radio is a tough business to get into, and 1 
never got to have that show. Until now. 

Pcxkasiing Is the liotlest new tenn on tlie intema. In the hsi 
few weeks, a Google search for podcasting has gone from only a 
few hundred results to well over half-a-million. St)mc media analysts 
predid that p<xlaisting Is gcjing chiinge brcodaisttng forever. 
Wliy? Bcxrausc with ptxlcasting, everyone cm liave their own show. 
Instead of a huge saiciio, all ymi need Ls a computer and a bit of 
software. In feet, in the niethod I'm gt>ing to descrilie, you can liegin 
ptxlcusiing for under $50^ Tliis article will show you how. 

WHAT IS PODCASTING? 

Tile idea Ix^hind |xxlcasting is simple. It's like Tivo for intemcl 
audio. Tl’ie tenn podcasting is a play on the word broadcasting, but 
it ujnis tratlitioruil Imradcasting on its head. Prograncs aren't 
streamed, like radio, but instead delivered, like magazine 
sul>scriptions, right to your desktop. With the right client .soflwam, 
all this hrtppens tninsparently, and ytxi wake up vvitli fresh content 
to listen to all day long. Tlic Ixauty of tliis method is that you're no 
longCT tied to the show's schedule - you cm listen to the pn>grams 
when you have time, rather than w^hen they'ne ""on.” 


Podaisting works irsing syndication feeds, sudi as tliose using 
RSS, to delwer these shims to you. If you use a newsreader, you 
already know how to sut^scrite to a podcast, since it is exactly the 
,saii^ as a newsfeed with jicst an enclosed file. Ptxkast clienls let 
you subscribe to syndkation feeds, [f there aie any files available, 
the client autotmilitaliy downkxids tlieni for you. 

Tliere are hundreds of people producing pcxlcasts, and more 
shows are popping up every day. Even .some iif tltc big media names 
are sKining to take interest xs more and tm>ie people turn to podcasts 
ratliLT tliiin regular radio for their infonmtion and entertainment. 

Even more interesting is that anyone can create and distribute 
his own podca.sr. llie power of Uxkiy's €om|)iJiers and the v^ist 
reach of tlic internet mean that having your own radio show Is 
nearly as exsy as liitting record on your Mat'. 

RECEIVING PODCASTS 

Before you start creating ycxtr own show, it's prolxtl>ly a gcxxl 
idea to listen to some erf llic otlier fxxlcusts out there. To do tliat, 
ycxill need a pcxkast client. For the Mac there are airrenLly two 
clients available, iPcxlderX (http://iPndderX.com), which Ls 
shareware, and iPcxIder lemon (http://ifxdder.saurcefoige.com), 
whicfi Is open source. BoUi futve thcHr own set of features, but the 
Irasic functionality of each is simiLir 
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Figure 1. iPodderX 


@©p. ^ iPoifder 

—f Srat uB^ Schedolfif Pre f erences ' Info ;-^ — 

Add feed manuailly: ' £ Add 3 

Name Sta;tc Ml Lacatior^ 

Default Channel subscribed 0.0 hup://radj^< 

iPDdderNflws newiy-sub.. 0.0 hitp://ipadd 


( Select feeds from the podcasi diregoty ^ \ Rerngve sebeted feed ) 

'■■ .. ...... \ 

Download progress 


( Check selected feed ^ Check For new podcasts ^ 


C Qitit ) 


Figure 2. iPodder Lemon 

DownlcKid itnd insliill ihc client of your choice, biunch it, and 
you can tegin adding feeds. Bodi clients featua* ;in integrated 
fXKlcast direaory listing many of tlie available podcasts, so feel free 
to bKJwse and chcicLSe the podcasts that interest you. f^oth tilients 
can also ]ie set to automatically download pexiotsts, .so you don’t 
ni^lo maniia^^ the downloads, t highly reexmnend tfuit 

you find this seUing and rum it on. 

Once you're all set up, die fun licgins. Whenever your client 
checks for podc'asts, it looks at the ILst of feeds you’ve subscTibed to. 
If there are any available tiles, it automatiolly downloads them to 
your conifxilcr. Now die magic: if the llle Is an atidio file, it will Ixj 


auioimtjcally niovcxl to iTunes for you, where you <:a.n ILsten at your 
leLsuie. If you fiave an iPod, tlie next time you sync, all tliose 
podcasts will be copied to your iPod. You'll liave fiesh content to go! 

YOUR FIRST PODCAST 

Now tiiat you've lamiliari?ed yourself with the client-side of 
potk:asdng, it's time Lo start lliinking about your own show. What 
kind of show do you want to dc^ Tlie sky is the limit. Some shows 
are over half hour in length and feature music, commentary, or 
interviews. Others are short. KOMO, out of Seattle, has brief two to 
three minute podcxists containing tlieir news stories. One txxicasL 1 
know is simply a guy reading a bit of jxietiy each day. Use your 
irmtgtnation, and who knows whar you might come up with. 

After you've decided on a fomiat, ilie next step Ls a bit of 
papenvork. IVe noticed tliat the inost popular shows are die ones 
tfiat are the most professional. By professional, f don’t mean slickly 
prcxluced. Instead, I’m simply lalking alxjuL a liltle preparation so 
your show goea snKxidily, so mking a few minutes to oiganuse 
yourself will help increase your eventual listenersliip. 

I suggest siuing down and drafting a brief oudine of your 
show. PerlKips you’d like a music muo. Tlien inaylic a few rninuies 
of commentary, llien iinother song. Whatever you decide, put it on 
paper. That way, as the .show goes along, you can refer to rhe 
oudine to make sure you don’t have any emfxarrassing gaps of 
silence in the prc^nim. 

Tape the oudine to your computer monitor so that it's in easy 
view. If you've ever bexm to a real axrording studio, they do the 
same thing. You don't want the sounds of mstling |xiper to be 
reeoKled, so with it taped to the monitor you can refer to it without 
handling it. 

THE GEAR 

There are proliably as many ways to set up a podcasting 
saidio as there are podcasts, llie meiliod Fm going to show you 1 
use for two reasons. One, it’s easy to set up. Two, it's cheap. For 
under $50, youVe got a podaisiing studio dial’s ready to roll. 1 
suspect that sooner rather tlian later someone will develop a 
Podcxisting Studio application. Until tlien, we need to use several 
biLs of software. 

Here's die list of tilings you'll need; 

• A mictophone. Moat Macs have a built-in micnophone. If you'is 
ckxsn'L, you can use an iSight (you've fx’en kxiking for an 
excuse, rigliC*) or a USB mic, such as Griffin's Me. Uiis ariidc will 
assume you're sitnply using the built-in mic, 

• Headphones or earphones. You’lI need to wear earphones during 
die entue jxxlcash otlierwise, youll end up widi feocBiack which 
will ruin your recording. 

• iTunes or QuickTime. You’ll use these to play audio files. 

• iChat or Skype. If you want Lo interview remote guests, you 
can do .so using an Audio iChat or Skype, 

• WireTap from Ambrosia Software 
(hltp://www.ambrosiasw,com/uiilities/frcebies). WireTap is 


MACTMt 


PORCASTiNC 101 15 
















































freeware, and it's what we'll use to capture your compuLer's 
output and record ilic audio. 

• Audio llijack Pro from Hogue Amoeba 

(littp://rogueamoeba.com/audiohijackprcj/). Audio Hijack Pro Ls 
$32. Tliertr is a Dcrno version, so you can try it Ix^fore laying 
for it. If you liave GarageBand, you can use it instead of Audio 
Hijack Pro, but it tends to be a kttle more resource hungry. 

SETTING IT ALL UP 

Tlie job of tireating the pcxieasl Ijreaks down into two !>asic' 
tasks: recx>rding what you say into die microphone, and recoding 
the audio output fixim your Mac, While recording, you want to 
n^ake sure that nothing is recorded other than tlie sht>w. So you 
need to [3e in a quiet room, witli tlie TV and stereo turned off. 

You1l also need to make sure that any error sounds fmm your 
Mac are not recorded. 1lie eiisiest wiiy to fix this is to turn tfiem off. 
In your System Preferences, chrxxse tlie Sound panel, tlicn chtxjse 
Lite Sound Effeas tali. Make sure the checklx>xes for playing 
interface; sounds and volume sounds are unciiecked. 



Figure 3. Sound Effects Off 

While you're here, click the Input tab and check your 
microplione settings. 'Iliese will need adjustment as you Ixx^ome 
accustomed U) how your particular setup records .sound, llie idea 
liCTc is to iTUikc sure your recording levels don't clip, but die 
.sensitivity is still strong enough for you to lie heard. 

YfHt also need lo make sure to c|uii any non-essential 
applications. Ketxircling audicj ain lx: a yircxessor intensive task, and 
any stray processes running on your system will slew tilings down 
considerably. You’ll also want to make sure you turn off the 
automatic checking on ytiur p<xk:ast client. Invariably, as s(K>n as 
you set down to record your client apj^ will sian downloading files, 
causing you all kinds of headaches. 


Plug in your lieadphones, put diem on, and launch all the apps 
you are going to use for your podcast, including Wireiap and Audio 
Hijack Pro. Youll also want to get any audio clips you want to play 
ready as well. Put iherri widiin easy reacfi or in a [ilaylist in iTiines. 
Finally, if you’re going to have a retnae guest via Audio iCliat, it’s 
time to get them re^tdy as well 

We're going Lo use WkeTap lo record aU audio output by your 
Mac. It’s very easy, just configure it the way you like, and press the 
imml buEon. Wirelhp always saves your file as an AlPF audio file. 
Onc:e it's recx)nded, well convert it to an MP3 or AAC in iTunes. 



Figure 4, WireTap Settings 

1lie main problem with Wirel'ap Is that it won’t record the 
input from your microphone. We need to use another applicxiiion to 
monitor your mic iJiat WireTap can record from. That’s what Audio 
llijack is for. In Audio I lijack, you’ll see a ILst of potential sourc:es in 
the lefi hand pane. Choose System Input (Default). Then, c:lic:k Uie 
Hijack buiLon in the main window. You do not need to turn on 
recording - lliat’s wliat Wireiap is for. 



Figure 5. Audio Hijack Settings 
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Renuirements Manasement 



When critical software is needed for the next space mission, 
amemedve control, defense system, telecommunications or 
deshtop application, we can help. MacAaO and WinAaO have 
been there, done that with 18 years of field proven innovations. 

Excel Software provides thousands of developers with tools to 
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In Audk> Hijack, you can also add some effects to yotir voice. 
In tlie lower right comer, click the FJfects tab. Click any ^MLV to 
insert an Kffea, and a list of possible eflects will pop up. Choose 
w^hai you'd like hcTc, ixii unless you have a specific puqx^se in 
mind, don't go too oazy. A robot voice ts line for a few seconds, 
but several jninutes of it can lx: tiresome. I use tlie Bass and Treble 
effeti to IxKxsL tlie lxi.ss in my voice. It helps give me that ""radio 
.sound'' tltat we all know so well. 




Audta - Svsnm Input 
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Figure 6. Adding a Voice Effect 

THE CURTAIN RISES 

Yoii'ie all set to go! In WireTap, press the Rexoal Button to 
Ix-gin the show. Follt>w your outline. If you need to play something 
in iTunes, go ahead, and Wire'Iap will recofd it auicjimlkiilly. CiU 
up your pal on iChiit, and they ean lx a guest on your sltow as well. 

When you're done, just click die Stop button in Wiretap, 
The entire Tile will be saved to your hard drive in the location 
you specified 

^riiai’s it! You just recorded your lirst podc'iist! 

At this point, you're finished widi die reconling. The meiliod 
descriiied above will give you a single file, nearly ready to [lublish, 
but you couki jasi as easily mcord small clips and edit them 
logedKT with an audio editor to form a longer piece. If you'd like, 
you can also edit to remove any long ptnises, erms, and alts from 
your recording. 

COVERSION AND PUBLISHING 


As 1 mentioned, WireTap records die file in AIR' fomiat. We 
need to a)nven iluit to either MP3 or AAC 

Drag die file inio the i'l'unes window'. TTie pcxicisi will be 
copied into ffunes. In the iTunes Preferences, choose the Importing 
lal). Set these prcfercnc'cs however you’d like them. You'll w'ant to 
use either MP3 or AAC. Set the bimite ro whatever you'd prefer, Ixit 
keep in mind that the higher the biirate, the bigger die fiJe. Tliis 


means longer tbwnload time's for die listeners and higlier 
bandwklth usage for you. 



Figure 7. iTunes Import Settings 

Control-flick on the potienst file in your iTunes library. A 

contextual menu will pijp up. Choose '‘Convert Selection to 
AAC" (or MP3), and iTunes will convert your AIFF file to the 
proper lorinat. 

Finally, we need to change .some ID3 lags so that die listeners 
will have it pniperiy added to their iTunes library. Selea the 
(^inverted file in iTunes, dien tyjx" Comm;md-l to bring up the file's 
infonnalkin. Chiinge this as you see fit. Generally, you should put 
the name of the podcast (“Mac' News") in the Allxjm slot, wMe die 
name of the individual epi-scxle (“MacWorid 2005") goes in the 
Name blank. It's also nice if you st?i die Genre to 'Pcxlcast', so diose 
who subscribe to your show can sort liy Genre in iTunes to get all 
of the pcxlcasts. You can aiso, if you'd like, give die file some 
“Qwer Alt ” Simply drag an iniiige, s;iy the show's logo, into die 
iimge well in friines. It will be ct)nverted and stored in die ID3 tag. 



Figure 8. ID3 Tag Settings 
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GETTING IT ONLINE 

OK. YoLiVe go( the sIkw im>ided, md youVc it ajnverted 
lo IVfP3 or MC All fl'mt's left is getting it on wdi Upkxid tlie file 
to a wdxicTv’cr you have att.ies.s lo. Tins ooukl be ytnir .Mac ilXsk, an 
ISP, or even your owti home coin|5Uier. 

YcHiVe proIxiHy almtciy got a weWt^, iitid it‘ you've gtA a 
wel)kjg, it's mm likely alieiicly got a new.sfeed. More and more wd>k jg 
publishing tcx>Ls are adding .supjx>n for podcming. >JK:)RiPres.s and 
Moveable rypc Ixxli have plugins available tiiat svill Ibnnal ycxir RSS 
feed for fxxkusts. If youis doesn'l, you’ll need to kind axle it, Wliile 
.syndication fcecLs are far Ixyond Uie stope of this article, I'll sIkiw you 
the one small change you ntxxl to imke to your RSS 2.0 feed, 

in rlie ItSS 2.0 teed (2.0, only, not .91 k 92, or 1), lietween tlx; 
<iteni> mg of the appropriate item, you need to add iin <enclosure> 
tag vdth tlie following foniiat: 

(enclomire urlHittp;//your.podcaj^r.coni/ftie.mp3 
type=*'audio/ofjeg^* /> 

'J'he url Ls the UKL of the file, the length is ilie size of ihe 
flic in bytes, and ihe type is the MIME type of die file. All three 
are required. 

Once that tag is added to your feed, any pixic^si client tJiai lias 
.subscTilxxJ to your feeil w'ii! automatically get your new pcxlaist. 

A COUPLE OF CONCERNS 

Since pcxlaisting is such a new' phaiomenon, there aie few' kinks 
that still need ironed exit. Ont‘ of tlic Ixg ones Ls baadw kith. If you have 
a successful podcast, for example, be prepared u> use a lot of extra 
Ixindwith, If ycHir file Ls, 10MB in size and 3(X) ]xx)pie listen to it, 
yotfre looking at a pretty liig Ixindwidth bill if you pay by the GB, 

lb allevLite the hindwidtli conceras, lx)ili client developers 
and c:nntent prtxluceis are experimenting with alternatives such as 
BitTorreni, but liiere’s no real magic bullet yet. Your liandwidtli costs 
will likely go up, so just lx aware of tliat. 


Also, lx aueful of the music you play during your show\ [f ifs 
copyriglited, and yoti cbn't have the rigliis to play it, y<xi could lx 
opening yourself up for legal uouble. llieie is a loc rf Creative 
Qiiiumms music available' online that Is n)y^ilty free, or you could 
create your own wiili Garageliand. AiK>ve ail, lx eareftit wiifi what 
you publish. 

NOT JUST AUDIO 

We've spent this entire article talking alxxit audio, but 
syndication cnclosurus can lx any type of file. With a gcxxl pcxic’ast 
client, images will lx moved into iPlioio where they can lx synced 
with the iPod Photo, while video jjodca.sls (which ami go on your 
iP<xi yet) will lx skived to your kird drive where you can watch 
them with QuickTime. Even sharing Ap|>lkutions Ls pcissible in a 
pcxlcasr feed! Use your iiTuigination - there’s no end to wliat am lx 
done with this technology! 

THE SHOW MUST GO ON 

Now ycx know' how to aeaie and publLsh your own podcast. 
But that's just tlie Ixginning! Yafve got lo keep going, cTaiting 
mope content, like anything else, podt'asring Uikes i)ractice, in fact, 
1 rexommend prrxludng several fxxbisl shows just to get tlie feel 
of it Ixfore you actually [lublLsh anything for the world to hear Once 
you get the liand of it, add the shows to your feed, and you're on 
your way fo being an internet ia>n! 

Gtxxl luck -1 ain'l wail to hear your showl 

Yili 


About The Author 

August Irometer is the aeator of iFodderX, a podiost rerejm for Mac 
OS X tis ive/f as the Mac’centnc wehsite dotmocJnfo. He con be reached 

at BlueGus@mac.com. 



Whoever said it's cheaper to stay 
home, didn't get out veiy often. 


The cost of keeping servers 
in-house can far exceed the 
cost of server outsourcing. 

That's where XservHosting comes in. 
With Xserve Colocation services, you 
can afford cost-effective, flexible, and 
highly reliable network and internet 
sen/ices, freeing up more of your time 
to take care of business. Don't stay 
home managing your servers - call us 
today at 949-480-9701 or visit our 
website at xservhosting.com. 


Starting at oniy $130.00 per month, 
xserve colocation includes: 

• Free setup for a savings of $50.00* 

• Rackspace and Power 

• 1Mbit connection burstable to 100 Mbits 
with unlimited data transfer. 

• Please memioti code mtm0305. 
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The Source Hound • by Dean Shavit 


Beiting on 
The Dark Horse 


A Horse Is A Horse, Of 
Course, Or Is It? 

Not Li month can go by wlitrn 1 don't 
hear a htjiror story of Microsoft 
s\V(K)[:)ing down on some growling 
company that didn't have its licenses in 
order, c^nly to c’ow them into ponying u|j 
for Office and Windows and a hefty fine. 
It's really strange to see, in almcxst every 
instance, thexse companies continue on 
with the big pn>prieu>rs seemingly out 
of fear of either being litigated intc:) an 
early grave or left wirhont software to 
am their businesses. 

One reality that many companies 
don't consider b that there is a choic'e of 
platforms and software for any liiisincss, 
regardless c^f iLs size, age, or niche. No 
company has to follow the rest of the 
lemmings off the cliff and standardize on 
Mk'Pcxsofl Windows and Micixxsoft Office, 
or even on OS K for tliat matter. Iliere's 
always FreeBSO or any numix'r of linux 
distributions available to use as an 
Operating System. Another reality, 
tliough, htis to do with Ixisic support— 
the a)mputer b a fbiinctition for die 
softw'are that runs on iL, so naturally it 
should Ix^ functional out of the lx>x, if 
not leady tor action, hopehiliy with 
some one to call if the computer should 


come up lame. So c!icx.>sing a computer platform for 
personal use or business is a lot like plunking down money 
on a hoiTie race: theieb die favorite (Window's and OfYice), 
ihcre's die challenger (O.S X and (Office) and then there's die 
long shot (OS X ninning Open-Source alternatives to 
Microsoft Software), and of course, die even longer-shot 
(Linux, an Ojxai-Source C>jX?rating System ninning Open- 
Source software). 

I've always teen a fan of die underdog (hence my 
devotion to die Mac plaifonn tefore and after OS X), hut 
even diough OS X lias really leveled the playing field in 
tenns of pure functionality when running neck and neck with 
the latest versions of Windows, the Mac, in my opinion, b 
now more than ever the dark-horse platfbnii, but with one 
imix^rtant difference: it now is showing sigas of tecoming a 
gietit platform for Opt:n-SouRe solutions. 

ARPANET: THE OLD GREY MARE 

Once upon a time, the computer software business 
was a cooperative effort between very large entities— 
most notably the Government, and the Government. 
Nearly all of the foundational components of the 
Internet such as *rciVIP prot(:>col suite, and the UNIX 
Operating System itself, have history in the DOD 
(Department of Defense) and the ARFAnet (Advanced 
Research Projects Agency Network), w'hich spawned an 
unprecedented level of cooperation between 
Government agencies and large Universities, Reading 
the numerous histories of the ARJ^Anet, 1 found that the 
various authors kept repeating two similar phrases, 
albeit in slightly different fomis: “diere was a spirit of 
openness^ or, '‘iiicrc was a spirit of sharing.” 
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W hen someone mentions Open-Source software in the 
Information Technology arena these days, there's often 
smiles all around. There's big wide grins (those who've 
made careers maintaining solutions most corporate IT 
departments wouldn't dare touch); there's wry smiles (folks who'll listen 
but never ever implement software without 24/7 telephone support); 
there's the up/down silly Texas-border shaped smiles of those who've 
spend months or years wrestling with compilers, config files, 
dependencies, and libraries, and, of course, there's the smile-and-nod “Oh 
yes we've lieard of that” From the gee-whiz IT Analysts who bandy about 
big buzz-words yet not-so-slyly bet on the favorite from the big proprietors 
of big proprietary software. 


Evidentlyj the late 60s c'ompuier devclofXTS tninorL'd tlie 
spirit of Lhcir age, and esmblished a standard of ojxn 
docunientation that paved die way for the Internet, IINTX 
widi coninion conimand sets, and email, known as tlic RFC 
(Requests tor C^irnmenLs), wliidi cune a direa need to keep 
everyone in die NWG (Network Working Group) up-to-diite: 


One reseiiix'her, Rolx^n Bradt.'n, sutniiKjd it up tills way: 
"For tne, fxtrLicipaiion in tlie development of die Ald^Anet 
and die Internet protocxiLs has lieen very exciting. One 
important reiscjn it worked, I Ixlieve, is dial tliere were a lot 
of very hriglii pexiple all working more or less in die stiiiie 
direction, led by some very wise pet^jple in die lijnding agency. 
Hie result was to cteirte a aimmunity of network researchers 
who lielieved strongly dial a>llalx)ralion is more jxiwerfijl dian 
annpetitic>n among reseaivhers. I don’t lliink any odier model 
would luve gotten m where we are rtxity." (RFC 1336) 

'lliere’s an overwhelming consensus, even iLxlay, among 
most comfiutcT yirt>lessionals and softw'aie companies diat 
the Internet should remain fiamed with the bounds of o[xn 


"These stwtdanis (or iack of tfmn) am stated exjdkitfypr 
tim masvm. first, is a tctidenc)^ to i4mv a uritteri 
stateinmU as facto autboritatii^, aad we bol)e to promos 

ttje exchange and discussion of cottsiiterafdy less than 
autboritatite ideas. Second, iiM^re k a natimd besilamy U) 
something nn/}olishe(l and ive b(7pe to ease this 
- 1969) 


stanckiRls. HiaFs why it's downriglu scary when a company 
like MicTosoft announces any ly^pe of Internet or wel>related 
initiative—such propos;ils, no matter how gfxxl they might 
l>e for computer users, tlirtfaien the spirit of die endeavor, 
which IS pnjlralily, anti-trust legalities aside, spurred the 
Govermnent's lawsuits agiiinst Miaosort, which prtilxihly 
wasn’t reidly breitking any laws by building Iniemet Explorer 
into Windows. Wiiat Micitxs4>ft was doing, or direatening to 
do, was to liuild somediing di;it wasn’t good for the Internet, 
and in many respects, die Internet is one of the gieatc^t 
things our Government ever hel^xxl to produce, Al Gore's 
contribution noivwithstiinding. After all IF packets still carry 
Uncle Sam's stamp, as in diese: 

ETHERNET: ETYPE = 0x0800 : Protocol = IP: DOD Internet 
Protocol 

ETHERNET: Destination address : O0EO293C974O 
ETHERNET: “ Individual address 

ETHERNET: 0. =' Utiivetsally 

administered address 

GNtJ AND UNUX: HORSES OF A 
DIFFERENT COLOR 

Some web sites refer to the ARFAnei and tiie development 
of the TCP/TP pixmx^ol suite and the Rl^Cs as the ’"l^rehistory 
of 0|ien-Source,*' but actually, Open-Source is often 
descrilied as a '’movement. ” As such, the yc“ars Ixdween die 
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introduction of the Macintosh, wliich coincided with tiie 
incPKLsing cioniinance of Microsoft Operating Systems, and 
die Ibyndaiion of the “official" Open-Source Initiative in 19!^. 
are the years where Oi>en-Source coinpUed iis trails. Much of 
the action coalesced around tw^o groups: GNU (Gnu's Not 
Unix), whidi codifieil Ihe spirit of cxx>peration in the form of 
Open licenses and NCSA (National Center for 
Supermmpucing Applications), wliich lirouglit tlie Worltl 
Wide Web into general use. logether, tlie plattbrin for 
collalx)ration (tlie InLcrneL) and Open licensing w'ould lay the 
groundwork for die Oi>en-Source offerings available today. 

Much of the GNU project is the bminchiid of one man. 
Ridiard Suilltnan. who announced in 1983: 


Frw UnLxf 

Skitiirtg this Tfnwksgiting f am g^nng lo mile a twjtpleie 
Unix<ofnpatibie softtmre s)^stent caUed GNU (for Gnu's Nol 
Unix), ami gine it auxiy free to ei^etyone u ix> cm use it. 
Contfibuiions of iime, momy, J^rograms ami eqiMjmmit arv 
gfvatiy needed 

Aliliougli tlie GNU project didn^t get into full swing until 
1984. it was dear diat Stallman certainly had the OSS (OfXMi- 
Source Spirit). Eventually. Uiis sjiiril evolved into a nuinifesio: 


I Musi Write CrNU 

i consider duU the gMen mk requires timi if / iike a 
program i must sium it with otlyer people who tike it 
Sojhmn: setters want to diuide the mers and conquer timw 
making each user agree not to sImov with opjers. / refuse to 
break solidarity with otiyer users in this uxy I cannot in 
g(HHi cotisdence sign a nondisclosure agreemetit or a 
softuare license agreement For )ears I uxirked within 
Artificiai inteiligence Lib to resist such temiendes and other 
inirospikdities /sic/, hut eientuaity the^* fmd gone too far:! 
could nol mnain in £in imtitution where such things ate 
done for me against my wUl So that I can continue to use 
computers wMxiut dMiortor,! hate decided to put toggtijer 
a suf/kieni bfHty of pee sofitmte so tluH t will ix^ aide to ^t 
along without any sopwatv that is nol free, f hate resigrted 
ftwn We/it tab to deny MIT any legal excuse to /jreimt me 
from git dug GNU aw^i 

4'he fij-st thing that comes U) mind is w-ow. here's a guy 
willing to quit his job. Ixfcausc he feels so passionately 
alxRit the netxl for readily availalile. non-commercial 
computing axis, fs tliere anyone who feels that smingly 
tcxiay? No doubt there is; yet such grand sacrifices are hardly 
neces.sary no\\\ not with the the GNU General Public 
License. Tlie founding fathers knew' thin spirit alone just isn't 
enough to make a permanent dent-—every propliet 
eventually has lo lx? or find a scriix?. 

So. in 1989 (later revised in 1991), die spirit of the GNU 
project was codified in die GNU General Public License, also 


known as die GPL, Tliis is nt>w die license of choice for 
almost all Open-Source sofrw^are, 'Iliis principle iiecanie 
known as ''Copyleft.** like the DedannJon of independence, 
the GLP has a few diuice lines diat .sum up the w^liole: 

L from the Preamble: “llie licenses for most s«)ftware are 
designed to take away yair freeikmi to share and change it. By 
contrast, die GNU General Public license Ls intended lo 
guarantee your freedom to share and change free softwaie-qu 
make sure the software is free for all its useis.** 

2. “When we spe;ik of free softwaie, we are referring lo inxdoni, 
not price," 

3. "To [inotect ytjur rigliLs, we need to trmke lestriciifins that fbrl:>id 
anyone to deny you tliese rigliLs or to ask you to sunender the 
rigfiis. Tliese a^rktions traaslate to certain lespoasibilities for 
you if you distriliule copies of tlie software, or If you mtxlify IL 
For example, if you distril^ute cxifiies of such a paigraiii, 
whether gratLs or for a fee, you must give tlie a^dpients aU tlie 
rigliLs iliai you have. You niust make sum that iliey, too, recx?ive 
ot Clin get die stiurcc cxxJe, And you must sImiw diem diese 
terms so they know' their rights. 

4. "Finally, any free piograni is diat^nened consranily by .software 
patents. We wisli lo avoid the danger that rcdistrilnilors of a free 
prognim will individually oixain fXHent liceases, in effeci 
making tiie progniin prnprietar>^ To prevent this, we have 
made it dc“ar tliat any patent niusi ix? licen.sed for ever>^one\s 
free use or not licensed at all." 

How many of us breeze througli tiie license agreements 
while installing software, obltvious to ihe legalities that 
insiallaticxi implies? lb take a moment lo read die GPL 
reveals a work of sparse geniirs: mcKlily. customize, even 
jratent tlie software if you like, bui ymir rights are ev^eryone^s 
rigliLs. Ad inlinituin. You ciin make it your own. liut you txin'l 
own iL lliat pretty niueh sums up the state of Open Source 
licen.sing up to the present^—even though tliere's variations 
on Ojxm Licensing such as ihe LG1*L, BSD. MIT. and Mozilbi 
pulilic liceases. just to name a few', A etjiiiplete list Ls 
available at http://ww^',opensourcx'.oi'g/licenses/index. [ihp. 

In 1991, Linus Torvalds, gave birth to a graduate school 
project and an o[xrating system lhat bore lliis name: Linux. 
Even thfxigh the GNU “hackers" had develoixd a foundation 
of Free softw'are tcxils that ran under LiNiX, the Operating 
System iLself remained under private ownership and could 
and would iie used for com|>etitive and profiriciary puqxxses 
in the quest to gain market .share, Linux gave Open-Source 
development wtiai it really need to Hotirish; a complete 
Ojx?n-Sourcc\ low oveiitc-ad and lightweight foundation. Jiusl 
like the GNU softw^are, Linux could \ye freely distiibuled. 
modified, and enham:ed, as long as the source ccxle .slLipped 
along widi die disc and documental ion. Ii's not necessary to 
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go into depth on Lijiiix, let's just ackj’iowledge that it's l^een 
very, very successful. Apple even cut iLs teeth on Linux with 
MkLinux <liLLp://www.mkiinux.org) in tlie late 1990’s with 
the intention of bringing it to to tlie PowerPC platfomi. 
Mldjntix was different from all otlier Linux distributions 
bec:ause ii liscxI an e'ariier version of the Mach niicrokernel 
Uiat powers OS X. 

THE GREAT BIG GIFT HORSE(S) 

It was one thing for the GNU hackers and Linus Torvalds 
to build fce UNIX tools and a free ofx^ratiiig system. It was 
anotlier, wholly unanticipated event tliat kicked the Open- 
Source Initiative into high geaiv the announcement that 
Neusc:ape intended to give aw'ay tlie stjurce code for its 
browser, Netscape Navigator, which would later become 
Mozilla (and Firebox and Gamino and 11111 nderi>ird), and a 
foundation (the Moztlla FouncLihon, named after the colorful 
dragon mascot of Netsaipe 1.0). A gixiup of excited 
volunteers, witli tlie blessing of Linus Torvald.s, credited 
www.opensource.oi^, definitively coining the term ''Open- 
Stiurce,'' and adopting tlie Open Sc^urce Definidon derived 
from die Debian Linux Free St)ftware Guidelines, llie gift of 
Netsaipe didn't pay off immediately, bur when it did, all 
computing plalforncs—^Windows, OS X, and Linux got a 
Ixllcr browsers and email clients, with odier products like 
group calendaring (Sunbird) and a world-class bug tracking 
system (Biigziila) a.s w^elL 

In die ycxir 2000, Sun Microsystems followed die lead of 
Netscape, gifting the codeba.se for StarOftice to die Open- 
Source community, established the OpenOffice projecl. It was 
I he single laigesi lump of source code ever to relcitsed to 
open development, and eventually, tliroiigh the hard wod< of 
the NeoOftice team (http://www,neooffice.org) brought a 
Microsoft Office alternative to OS X without X Windows, fully 
integrated wadi die OS X Aqua interface late in 2004, 

Tlie successes of Linux, OSD and the Mozilla project, 
nibbetl tiff on Apple a.s it honed its plans for OS X in 1999. 
By making die core of iLs OjK-ratiiig System, knowti as 
Lfaiwin, Open-Source, Apple gained imjxirtanr mincLshare 
^miong developers. Almost immediately upon its release, OS 
X had companion projects such as Fink 
(hltp://fink.sourceforge.net) and Daiwinpons 

(http://darwinport.s.opendarwin.org) to bring Linux and BSD 
softw'^are to OS X. With the release of X Windows for OS X in 
2002, and Xcodc l(X)l,s with die GCC 3 compiler concunxtit 
with OS X 10.3, the pace of “porting" or tweaking source 
code for compilation under Xeexie has picked up with a laige 
percentage of Linux software available to am on die Mac 
eidier on die coininand line, under X Windows, or in some 
cases, natively in die OS X Aqua environment, even though 
some versions lag slightly Ix^hind the Linux versions. 
Nowadays, it's almost expeaed diat an Open-Source project 


has an OS X t>r Darwin version. As a matter of lact, theie's 
currciuly a quiet pro[Xiganda batde going on Ixftw^eeii die 
the OS X user conimunity and die Linux user community as 
to which has the greater share of UNIX deskkjps. Fither way, 
ii's a win-win for all computer users. 

BETTING ON THE DARK HORSE 

ILs quite amazing how' the Mac has evolved in its role as 
the dark hot^se of Uie computer w^orid. Iktck in die days 
before OS X, Mac users may have had the superior interface, 
file system, and desktop publishing platform, but the reality 
was that as Windows progre.ssed, Mat: OS 9 showed 
cre^ikincss and lack of dexibility. It was difficult, if not 
imixxssible, for instance, to get a VPN client, or a Windows 
File sliaring client, or access to an Apache web server wiihoul 
paying through the nose, tilings we now take for granted. As 
an undeidog, OS X is now not only more capable and secure 
diiin Windows, it's also capable of ninning a majority of 
Unux software. 

Just today, Apple announced the Mac Mini, the cheapest 
Mac ever. At $499, the Miic Mini has a chance to make some 
serious penetration into the corporate IT world as a 
workstation of choic’e to replacx^ aging Windows Ixixes or 
Macs. With more and more companies seeking to decrease 
dieir dependence on proprietary^ solutions {nt>i lo mention 
decreasing licensing fees and the ftrar that comes from non- 
coinpliance as well), OS X is poi.sed to eat into JVIicTosoft's 
market sliare as it never has before. Imagine a five hundred 
dollar workstaiion ihai rec|uiR.‘s not a single coiTimercial 
application io lie a productive business computer, with a 
slick and friendly interface, the tiglitest hardware/software 
integration available for any platform, with no CALs (crlient 
access licenses on die server end), no software police, and 
no malware. I'm putting my money on tlie dark horse, wdiich 
just happens to be white. 

\\\\ 
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Matchmaking with 

Regular Expressions 

^ _ > 

By Paul Ammann 


If youVe programmed in Perl or any other language with Ixiill- 
in regular-expression capabilities, then you piobably know how 
much easier regular expressioi-^s make text prcx:essing and pattern 
matching. If you're unfamiliar willi the term, a regular expre.ssion is 
simply a string of cliaracters that defuies a pattern used to search for 
a matcliing string. 

Many languages, inciiiding Java, Perl, PHP, Python, JavaScript, 
and JScript, now su[)port irgular expressions for text prfx;essing, 
and some text editoi^ use legukir expressioas for i:K)werfiil .seaiclv 
and-replace fiinciionaliiy. 

Since IVe Ix'en moving away from Perl and more towards Java, 
I discoveied die open source Jakarta ORO library from Apache.oig. 
file Jakarta-ORO Java cla.s,ses are a set of text-prcx:es.sing Java 
classes dial provide PeiiS c()mpattble regular expressions, AWK-like 
tegular exiinessioas, glob expressions, and utility c!as,ses for 
performing siil:>stimtion.s, splits, fllteiing filenames, etc. 

In LhLs article, Til first give you a short primer on regular 
expressions, and tlien I'll show you liow to use regular expressions 
with the open source Jakarta-ORO Al^I. 

REGULAR EXPRESSIONS 101 

(jefs start simple. Suppose you want to search for a string vvidi 
the word "caf' in it; your regular expression would simply l)e "an". 
If your search is ctise-inseiisitivc, the words "aitalog", "Ciitherine", or 
"sophisticated" would also match; 

Regular expressioni cet 

Hatches: cat. catalog. Catherine, sophisticated 


The Period Notatioii 

Imagine you are playing Scrabble and need a duee-leECT word 
starting widi die letter T and ending with the letter “n". Imagine 
also dial you have an Kngiish dictionary and will seamh through its 
entire contents for a match using a regular exf>ression. To form sucli 
a mgular expression, you would use a wildcard notation “ die 
ixmcxi (.) ciianKter. Jlie angular expression would then l:)e "t.n" and 
would mau h "tan", Ten", "tin", and "ton"; it w'oiiid also match 
"tpn", and even "t n", as well as many odier nuiisensiail words. Tliis 
is liecaiise the jx^iiod character matches everything, including the 
space, the tab character, and even line breaks: 

Regular expression: t.n 

Hatches: tan. Ten. tin. ton. t n. tfo. tpn, etc. 

The Bracket Notation 

'lb .solve the problem of die jiericxl's indiscriminate matches, 
you can specify characters you consider meaningful with the 
bracket CO") exprc^s.sion, so that only those characters would match 
the regidar expression, 'flius, "t[aeio]n" would just match "tan", 
’Ten", "tin", and "ton", '"roan" would not niaich because you c'an 
only match a single charicter within the brac ket noralion: 

Regular expression: t[aeio]n 
Matches: tan, Ten, tin. ton 

The OR Operator 

If you want to match "toon" in addition to all die words 
matched in the previous .section, you can use the notation, 
wHikJi i.s Irasically an OR operator. To match "texm", use the regular 
expre,ssion "t(a | e | i | o | oo)n". You ciiniux use die bmeket nouition 
heie liecaiise it will only match a single character. Instead, use 
p:irenthe,ses - "0". You can also use parendieses for gRiupings 
(more on iliat later): 

ReguJar expression: t(a|e111o|oo)n 
Matched:: tan. Ten, tin, ton, toon 
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The Quantifier Notations 

Table 1 shows the quantifier notations used to deteniiine how 
many times a given notation to the imniediaLe left of tlic quantifier 
notation shtxikl repeat itstrlf: 


Table 1: Quantifier Notations 


Notation 

Number of Times 


0 or more times 

+ 

1 or more times 

p 

0 or 1 time 

In} 

Exactly n number of times 

{n,m} 

n to m number of times 


Let's say you want to search for a social security numf>er in a 
text file, 'llie foniiat for US social seamty niunlTei^ Ls 999-99-9999. 
'Ihe regular expressitjn you would u,se U) inaich tliis Ls sho\^’n in 
Figure L In regular expressions, tlie hyphen C’-') notation has 
S]x:cial meaning; it indicates a range that would match any number 
from 0 to 9. As a result, you miusi est:ape the cluuacter will) a 
forward slash when niatcliing tlie literal hyphens in a social 
scx:urily nuinlxT. 


Hyphen 

Hyphen 


[0-9]{3} \- 

[0-9]{2} \- 

[0-9]{4} 

The first 3 digits 

The next 2 digits 

The leet 4 digits 


Figure L Matches: Ali social security numben of the 
form 123-12-1234 


If, in yoiii- search, you ^ish to make the hyphen opiicml - if, 
say, you consider btali 999-99-9999 and 999999999 acceptable 
Ibnnats - you can use diequantifier notatioa. f-igure 2 shows that 
regular expression: 


Optional hypbon Optional hyphen 

[0-9]{3} \-? [0-9]{2} V? [0-9]{4} 

The first 3 digits The next 2 di^iia The last 4 digits 


[0-9]{4} [A-Z]{2} 

The first 4 digits The last 2 alphabets 

Figure 3: Matches: Typical US car plate numbers, 
such as 8836KV 

The NOT Notation 

Tile "A’' notation is also called the NOT notation. If used in 
brackets, ^a^ indiaiies the character you don't want to matcii. For 
example, the expression in Figure 4 matches all words except diose 
sStartjng with the letter X. 


I'^X] 

[a-z]+ 

The first 

The subsequent 

character must not 

characters can be anything 

be Y 

from a-z 


Figure 4: Matches: All words except those that 
start with the letter X 


The Parentheses and Space Notations 
Say you're trying to extract the birth month fnjm a persorfs 
birdidate. 'Ilie typical binhdale is in the following format: June 26, 
1951. The regular expression to match the string would be like the 
one in Figure 5: 


Mandatory Mandatory 

®pac 9 comma 


([a-z]+) \s+ [0-?]{1,2} 

Day Of month, 

Month fisid uBtoSdioits 


\s* 

Optional 

spaca 


Year field, 
up to 4 digits 


[0-9]{4} 


Figure 5: Matches: All dates with the format of 
Month DD, YYYY 


The new "\s” notation is the space notation and matdies all 
blank spaexts, including laUs. If tlie string matches perfectly, how do 
you extract the month field? You simply put parentheses aniund Lfie 
month field, cTeating a group, and later retrieve tlie value using tlie 
ORO API (distrussed in a following .section)* T!ie appiopriare regular 
expression Ls in Figure 6: 


Figure 2: Matches: All social security numbers of 
the forms 123-12-1234 and 123121234 

Let's take a kxik at another example. One foniiat for US car 
plate numkrrs coasisLs of four numeric cliaracters followed by two 
letters. Tlie regular expression first comprises the numeric part, "lO 
9114 p, followed by the textual part, "[A-ZH21". Figure 3 shows die Figure 6: Motches: All dates with the format Month 

complete regular expression: 00, YYYY, and extracts Month field as Group 1 


Mandatory 


Mandatory 

comma 


([a-z]+) \s+ 


Month field 
in Group 1 


[p-?]{1,2} 

Day of month,, 
up 10 2 digits 


Year field, 
up to A digits 


\s* [0-9]{4} 


Opllona! 

space 
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Otlier Miscellaneous Notations 

To nuke life easier, some shorduntl notalkias for commonly 
used regular expressions have been created, as shown in Tai>le 2: 


Table 2: Commonly used notations 


Notation 

Equivalent Notation 

VI 

[0-91 

\D 

[^^0-9} 

\w 

{A-ZO-9} 

\w 

[''A-ZO-9) 

\s 

[\t\nV\f] 

VS 

[''\l\nV\f] 


'I’o illustnite, we am use '’\d" for all iastances of 10-91" wc used 
Ix^fore, as was (he am wjdi our social security nimiix^r expiessioiiH. 
Hie leviscxl regular expression Ls in Figure 7: 


Hyphen 

Hyphen 


\d{3} \- 

\d{2} \- 

\d{4} 

The first 3 digits The next 2 digits 

The last 4 digits 


Figure 7: Matches: All social security numbers of 
the form 123-12-1234 


JAKARTA-ORO LIBRARY 

Many open souae angular expassion lilirarics are available for 
Java pnogrimmers, and many support the Perl Sxompatilile regular 
expR.'ssion syntax. I use the Jakarta-ORO regular expression libraiy 
lxauj,se it is one tjf die m(H comprehensive APIs availaiile and is 
fully comjxitilile with Perl 5 regular expie,ssions. IL is also one of the 
TiKxsi ofXimi^ed APIs around. 

The JakartaORO library was fonnerly known as OR<.)Matcher 
and lias lieen kindly donated to ilie Jakarta Project by l>aniel 
Savarese. You can download the paclaige fnaii a link in liie 
Resources section Ixlow. 

THE JAKARTA-ORO OBJECTS 

I'll start iiy briefly describing the objects you need to create and 
atxess in order to use diLs library, and llicn I will shcjw how you use 
the Jakarta-(TRO API. 


The PatteniCoinpikr Object 

First, create an instance of the PerHCompiler class and 
assign it to the PatternCompiler interface objecl. PerlSCompiler 
is an implementatitm t)f the PallemCi>mpiler interface and lets 
you cximpile a regular expression string into a Pattern object 
used for matching: 

PatternCompiler compiler'^new PerlSCompiler{): 

The Patteni Object 

To compile a regular expression into a Palicrn object, aill the 
cximpileO method of the compiler oiiject, piissing in the regular 
expression. For example, you on cximpile the regular expression 
"tlaeioln" like so: 

Pattern pattern=nul1; 
t ry I 

pa 11 e rn^c onpller.c omplle P* t[aeloJ n“)r 
\ catch (H^formedPatternException e) t 
e.printStackTrace(): 

I 

By default, tile amipiler creates a casc*-seasiiive fxitlern, mj that 
the alxjve seUip only matches Tin”, "Lin", "ten", and "Lon", but not 
Tin" or "taN", To create a case-iasensitive pattern, you would call a 
compiler with an additional mask: 

pattetn'^COEiipi 1 er - comptle {H [iielo] n". Pecl^Compller. GASE_INSENS1TI 
VE„MASK}; 

Once youVe created tlie Paiiem objetl, you can use it for 
pattern matching with tlie PattemMatcher class. 

The PatternMatcher Object 

Tlie PattemMatcher o!>jecl UMs for a match based on the 
Pattern object and a string. You iastantuite u FerHMatcJKT class and 
a.ssign it it> the PattemMatcher interface. Ihe PerilMatcher chss is 
an iinplenienuuion of the PattemMatcher interface and matches 
patlems bstsed on the Perl 5 regular expression syntax: 

PatternHatcher matcher-new PerlSMatcherO: 

You am obuiin a match using the PatieniMaicher object in one 
of several ways, with tJie string to lie niatched against tlie tegular 
ex(>res.sion ptissed in as the ftrsi parameter: 

* boolean matchesfString input, Pattern (lattern): Used if tlie 
input string and the regular expression should match exaedy; 
in odiCT words, the regular expression should totally 
descTibe the string input 

* lxK)lean niau:hesPfeFix(String input, Pattern pattern): Used if 
the regular expression should match the Ix^ginning of the 
input string 

* ixx)lean contains(String input, Pattern pattern); Used if the 
regular expression sIkhiIJ match pari of the input .string (i.e., 
should Ije a sulxstring) 
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You anilcl also pass in a PanernMarcherJnpiit objea insteid of 
a String ohjeci to I he alx>ve thR?e nietliod c:alls; if you did m, you 
could continue ni:itdiing from the jxiint at wliich the last match was 
found in the string-1 his is useful when you have many substrings 
that aie likely to lie matched l:>y a given regular expre^ision. The 
method sigiiamres with tlie PattemMatclieiliiput objea instead of 
String are as follows: 

* lxx)lcan rmichcs(Paucrn]Vlatelicrlnpui input, l^atiem pattern) 

* boolean matchesPrefixCParternMatcherlnput input, Pattern 
pattern) 

* Ixx^Iean mntainstPalternMatcherlnput input, Pattern pattern) 

SCENARIOS FOR USING THE API 

Now lei’s discuss some example uses of the jakuTlaORO library^ 


U)g File Processing 

Yt)ur pb: analyse a Web server log file and delennine how 
long each riser sjx^ncLs on the Website. An entry from a typical BEA 
WebLogic log file looks like this: 

172.26.135,241 - - [Z6/Feb/2001:ID:36:03 -0500] «GET 
yisAlive.htm HTTP/1.0" 200 15 

After analyzing this entry, you’ll reitlize that you need to extma 
tvv<> tilings Irtitn die log file: ilie 11^ address and a page's access time. 
You am use the grou[3ing notation (paieiitkeses) to extrad die IF 
addres.s field and the timestamp field from the log entry. 

LlT^s first diseu.ss the IP address. It consisLsof 4 bytes, each willi 
values lx?twcen 0 and 255; each l^yte is sqxiraced from die txliers 
by a period. Thus, in each individual byre in the IP address, you 
liave al IcllsL one and at mexsL diiee digits. You can see die legular 
expression for tliis field in Figure H: 


Mandatory Miand^tOry 

Mandatory 


period 

period 

period 


\d{1,3} \. 

\d{1,3} \. 

\d{1,3} V 

\d{1,3} 

1 si byte 

2nd byla 

Bid byte 

4lh byte 

1 to 3 digits 

1 Id 3 digits 

1 to 3 digits 

T to 3 digits 


Figure 8: Matches: IP addresses that consist of 4 
bytes, each with values between 0 and 255 
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You need to escape die period character because you liteialiy 
want it to be thea^; you do not want it read in terms of its special 
meiining in 3^:gular expression syTitax^ which 1 explained earlier 
Tlic log entry's timestamp is suirounded hy square 
bnickets. You can extract whatever is witlrin these bnKkets hy first 
searching for the op)ening scjuane bracket character ("[") and 
extracting wlialever Is not witliin tlic dosing square bmckel 
charaaer (1”), continuing until you reach the closing square bracket. 
Figure 9 shows the regular expression for this: 


The starting The ending 

■['character ']'character 

\[ [ "] ]+ \] 

Part of the enpression that 
matches any character 
until is found 

(at least one character should 
be matched) 


Figure 9: Matches: At least one 
character until “]" is found 

Now you coinbine these two regular expressioas tnto a single 
expansion with grouping notation Cparenihcsc\s) for uxiiaciion of 
your IP address and tirncsLainp. Notice tliat "\s-\s-\s" Ls added in the 
middle so tliitt matching occurs, although you won't extmci that. You 
oin see the ajmplele regular expression in Figure 10. 


llie regular expression used here is nearly identical to the one 
found in Figure 10, with only one difference: in Java, you need to 
escape every foiw'^iid slash C"\”). Figure It) Ls not in Java, so we need 
to escape die foiward-slash character so as not to cause a 
c'ompilarion error. Unfbrmnateiy, this prrxess Is prone to emir and 
you must do it carefully. You can type in die regular expression first 
widiout escapuig die fomaid slashes, and tlien visually sain the 
string from left to right and replace every ocajnence of the 
character with "W'L To double check, print out the resulting string 
Uj die console. 

After initializing the strings, instantlite the PattemCompiler 
object and aeate a Pattern object by using the PattemCompiler to 
aimpile the regular expiiession: 

FattprnCuiiipiler cotnpller=new PerlSGorapller (); 

Pattern pcitterii=coii]piler*t:oiiipile(regexp); 

Now, create tlie PaLtemMiitcher object iind aid die containO 
mediod in die PatteniMatcher interface to see if you liave a match; 

Patterntiatcher match er=new Perl5Ma tch er (): 
if {iLatcher. cotitainB (logEntry, pattern)) i 
MatchKeaiilt result^Tnatcher.getMatchO : 

System. out. p rititln ("IP: '‘+result, group [ 1)): 

Systeni.out. print In ("Times Ltunp: "+resul: .grouptZ)): 

] 

Next, piint out the imtched groups using the MatchResuIt 
object returned from the FatternMatcher interface. Since the logEntry 
siring a>nlains die [laiiem to Ix.^ matched, you could exjiect die 
following out[>ui: 

TP: 17?..26.155.241 

TlmesLamp: 26/Feb/2001:10:56:03 0500 


Msndtlor^ hyphem 

{\d{ 1 , 3 }\.\d{ 1 , 3 }\,\d{ 1 , 3 }\,\cl{ 1 , 3 }) \s-\s-\s \[{['' 3 ]+)\] 

IP adijreeg leJql Tmiaal amp frehl 

Bs Gnliv t bS Ol'aLj|]' 7 


Figure 10: Matches: The IP address and timestamp by 
combining two regular expressions. 

Now that you've formulated this regiiiar expression, you on 
Ix^gin wridng Java cxxJe usinyi, the regular expression library. 

Using the JakarUi-ORO library 

To Ixigin using die Jakana-ORO ltl>rary, llrst create the regular 
exjiression string and the sample string to parse: 

string logEntry-"l7?.26.155.241 - - [?6/Feb/?001:10:5fi:03 -0500] 
\"GET /Tj^AUve.htin HnT/h0\" 200 15 

String fGgexp^"([0-9] |1.3|\\d0-9]|1.3)\\.l0-9][l jf\\.[0- 


HTML PROCESSING 

Your next task Ls to churn dirougii your cxmipanys HTML 
pages and perform an analysis of all of a font tag's auributes. Tlie 
typical font tag in your HTML l{X)ks like this: 

Cfoni face*"Arial. Sarlf' color-"red*') 

Your program will prini out the attributes for every font mg 
encountered in die folltwing foniiat: 

fare^ArlaK Serif 
eolor^red 

tn diLs case, I would suggest that you use two regular 
expressions. The first, shown in Figure 11, extracts ”face'=^'’Arial, Serif 
size="+2'' colc7r="red" from die font tag: 
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The optional 
space characler 

< \s* 

The < 
eharacfer 


The optionaE The option aE 

space character space character 


font \s* ([''>]*) \s* > 

Thia matches everything ^ ^ 

^ name ^ characler. character 

ae G/ou^ 1 


Figure II: Matches: The all^attribute part of the 
font tag 


Tltc second regular c-xprcNNion, shown in Fl^trc 12, breaks 
down each individual attrilxite itito a minie-value pair: 


Matches everythifig 

Opiioralcpxt Opliontl spao Wlh«i:li,5«-<iuoi»iivii«:i«i. 
dnrader character asGmiipZ 


([a-zl+) 

name, 
as Group t 


\s* = \s‘ " ([''"]+) ” 

-chafBGiflj Opfin-ifioie dOM-cnKJle 

character charoder 


Figure 12: Matches: Each individual attribute, broken 
down into a name-value pair 

Figutv 12 t)ruiks into: 

font Ariala Serif 

size +3 

color rod 


Ijei^s now dlseiisi) the code to adiieve tliis. First, craic tlie two 
regular ex[)ru,s.sion strings and compile them into a Pattern ol>ject 
using the PerlSConifiilcr. U.se the 

Pefl5Compiler.CAi>Ii_lNSENSITIVE_MASK option here when 
a>mpiling the: regular expression for a case-insensitive match. 

Next, create a Perl5MatcIier object to perfonii [iiatching: 

String reg€xpForPontTa|="<\\s*font\\.‘rh( [''>] *) WsO": 

String regoxpForFontAttrib-"{ra-z)+)V\s*-\\s*\M['^\"]+)\""^ 

PatTRrnConipiler corapller“new PerlbCompilerO; 

Pattern 

pat leriiForForitTag*t:piiipller, cgaiplie {regexpFoxFontTag. PeriSCompl ler 
.CASE_INEEKS1T1VE_HASK); 

Pattern 

patt e t nFo r Fo nt Att rib-compl 1 e r. c oapl 1 e {r e gexpF o rF o nt A1111 b * F e r 1 !)Co 
mpiler.CASE INSENSTTTVE.MASK); 

Patte r nMa T cb p r m t f tie r=new Pe r I b Match er £) j 


Assume you kive a varkible called htnil of type vString tliat 
tepresenLs a line in ihe HTML ftle. If the exmtent of die htnil string 
contiiins die font tag, die matcher will retom true, and you'll use the 
MatchResuli dijea renimed from the matcher object to get your first 
group, wliich inc:ludei all of your font attribute: 

if (niatcher. contains {btmLpjitternForFontTag)) I 
MatchRnsult resulfTnatcbcr, got Match () ^ 

String attribs=result ♦groupU): 


Long Distance 



Straight 6 seiond bilfing imremenfs 

Excellent rates on introstate, introiata/toll calls 
and internotional calling with no term contract. 


Toll Free (800/888/877/866) service, 
same low per minute rate for incoming calls 


10 cents per minute colling cord 

Deloiled billing directly from OPEX. 

Quality electronic and teleplione customer support. 
No monthly billing fee if 
your bill is over $20.00 each month. 


(NOIE S2.00 king fee is dniged when yow bil is under $20.00.) 


MJcnat 









FatternMatcherlnput input^ew PatternHaLcherTiiput (attrihs); 
tdille (matebec, contains {input. pattei:iiForFonlAt.trlb)) t 
tea 111 t^mat c her. getMatch (): 

system »ou?.println(result,group{1)+": "+resuit * group(2)): 

1 

\ 


Next, eremite a PatternMatcherlnput oliject. A.s f>revi<>ysly 
mentioned, this object lets you continue matcliing from wlieie the 
last maicli was found tn the string- thus, it^s perfect For extracting 
tile font tag's name-value pair. Create a PatternMatcherlnpui o[>ject 
liy passing in the string to lie matched. Hicn, use the matcher 
iastance to extract each font attribute as it is encountered. 'Ibis is 
done by repeatedly calling the contninsO methtxl of the 
PatternMarcher object with the PatternMatcherlnpui ol)jeci iastead 
of a suing. Every iteration tlmjugli die PatternMatcherlnput ol>ject 
will advance a [xnnter within it, so the next test will start where 
the previous one ieh otf’ 

*Ibe output of the example is as follows: 

face: Arial* Serif 
size: +1 
culor: red 


MORE HTML PROCESSING 


Qptunat 

< \S* 

< diarsclef 


Manual my 
Space 

a \s+ 

Tlifl 

lap name 


OpI^Dniy 

space 

href \s* 

the href 
altniiulc 


Optional 

sface 

= \s* 

Thff = 
characisr 


"http;//widgets.acme.com/interface.html 


The' disreclw 

( [ 1+ ) " > 

Mslchec ewrythitig 

unlit the ■ chwactor. * ctiwacter 

« Onwp t 


Figure 13: Matches: The link 
‘*http://widgets.acmexom/interface.html#(any anchor). 


If this regular aepression Ls found, you can make your 
substitution for the link in Figure 13 with the following expression: 


<a href="http://newservet.acBit§.ctJin/interface,hTiiil#$l") 


Let's continue with another HTML cxiiniple. Tliis liuie, iimgine 
that your Web server has moved from widgeLs.acme.cxim to 
ncwscrveraaiie.com. You’ll need to cliange the links on some fjf 
your Webpages from: 

<a href" 

"http: / /vddgets. acme ,coffl/Interface ,htiid#Hmc.TouBuy"> 

<a href" 

"h 11 p: / / wi dgeta. aciae. com/ inte rfac e. htiiil#How_To_Seil" > 
etc. 

to 

Ca href- 

"http; //newserver, acme. con/ Interface, 

<a href" 

"http://newserver, acme,com/ interface, btmljHotf_TD_Eell"> 
etCh 

'rhe regular expression to perform the search is shown 
in Figure 13- 


Notic'e that you use SI after ihe cluiracter. Perl regular 
expression syntax uses SI, $2, and so forth to represent groups that 
have lxx.Ti matched and exiiaaed. ihe expre-ssion shown in Figure 
13 apjX'ncls wliatever text has Ixen mafclied and extracted as Group 
1 to tile linlc. 

Now, track to Java. As usual, you must cieate your testing 
strings, tile necessary ol^l for a)mpiling the regular expression into 
a Pattern oltjecl, and a PattemMairher objeci: 

String ilnk=“<a 

href"http;//widget s,acme,com/interface.htnl#Howjro_TradeV">*; 
String 

regexpforia nk="<\\s*a\\s+href\Vs*\s'V"htt p:/ /widgets,acme, com/i 
nterface,html#( ; 

PattemCoinpiler compiler-new PertSCompiler (): 

Pattern 

pa11ernForLink"coropiler,compile(rege^pPorU nk,Per]iCodpiler.CASE_ 
INSENSITIVE^MASK): 

Pat t p. rnMatcher mate he r"new P e r 15 Hate h e r 0 * 


Next, list! the staiic method sulistituttK) from the Util class in die 
a)m.oit>inc.text.regex packige for perlorming a .substitution, and 
print out the a^ulting string: 

String resultrfJtil,substitute(metcher * 

patternForLink, 

new PGrl5S»jbstitution( 

"<a href= 

\"hitp://newserver.acme.con/Interface.htnltfS1V*>")* 
llukt 

UtiI.SUBSTITUTE_ALL): 

System*out*printIn(result): 


30 February • 2005 


WWW.MACIECH.COM 





Ihe syntax of the Uti].sul>sti{ute() nietliod Ls as follows: 

public static String substituteCPatternWatcber matcher. 

Pattern pattern. 

Substitution sub. 

String input, 

Int numSubs) 

Tlio first two [>arjincters lor this call are the PatternMatcher 
and Pattern objects created earlier. The inpm for tlie third 
parameter is a Substitution object that determines how the 
substitution is to be performed. In this case, use the 
Perl5SubstitLition object, whicli lets you use a Perl 3-style 
substitution. Itie fouith parameter is the actual string on which 
you wish lo perform the substitution, and the last parameter lets 
you S[iccify wlicther you wisli to substitute on every cx'difrence 
of the pattern found tU[iI.SUBSTlTLrTE_ALL) or only substitute a 
specified numlier of times. 


EXPRESS YOURSELF 

In litis article. I've shown you the powerhil features of 
regubr expressions. Wien used af3]>rt>priaicly, they am help a 
great deal in string extraaion and text changes. I have al.so 
slKJwn how' you can tncorponue regular expressions into your 
Java appiic^ation using die open source Jakana-ORO library'. Now, 
it's up to you TO decide whether the old siring tnanipulaiion 
approatb (using StringlVjkenizers, charAt. or substring) or a 
regular expression library, like Jakarta-OHO, works for you. 

\\\\ 
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QUICKTIME TOOLKIT • by Tim Monroe 


Terminal Velocity 

Developing Command-Line QuickTime Tools, Part II 


DOS COMMAND-LINE 
TOOLS 

For our Windows command-line 
Kool, let's build a Cdangiiage version 
of the Td list Comps scripl wc 
considered in the previous article. 
Figure 1 shows the C version of 
listComps at work in a DOS c:onst>le 
window. We are asking it to list all 
available graphics exporters (that is, 
components of type 'grex'). 



Figure 1: Output of tistComps 
on Windows 

Creating a Pro|ect 

launch tile Visual €++ 
development environment. Select 


“New...” in the File menu to get a list of available project 
types. In the Projects pane, select “Win32 Console 
Application*', Set the project name and select a more 
cemvenient location fur the project files (Figure 2) 


i DnArjEe Application - Step 1 dT 1 



Wh«l liiid Of Coniwb A^pl»tkin 

want Id ctedle? 

C An efflpfy (KOfflct 
r A tvnpls 

^ A >Ielo.W«ikr4Vicdbon 
^ Anwpic^lkinlKM MjOpOittMFC 
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Figure 2: The new project dialog box 

Because ihcre are several flavors of console 
applications, we’ll be prompted to select one, as in Figure 
3. Choose "A “Hello, World!” application". 
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I n the previous article (“The Terminal” in MacTech December 2004), 
we looked at using command-line tools to accomplish various 
QuickTime-related tasks, such as building movies from a series of 
still images or applying visual effects to an existing movie. We 
focused on building tools on Mac OS X, either using Xcode or just directly 
compiling and linking with cc on the command line. In this article, I want 
to continue that investigation by stepping through the process of building 
a command-line tool on Windows. The fundamental ideas are the same as 
on the Macintosh, but when moving to a different platform, it’s always 
useful to see a step-by-step walkthrough. Then, toward the middle of this 
article, well return to Mac OS X to look at a clever way to actually draw 
video data on the screen using a command-line tool. 
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Figure 3: The console application wizard 


Figure 4: The listComps Workspace pane 


Al Lhi?i point, the project window ap[Xfars; the 
Workspace pane shows the files associated with the new 
project (Figure 4>, 


Selling Project Paths 

Our Windows coinmand-line looi will not aaually call 
any QuickTiine-specihc APIs, .since it can do all its work 
using the Component Manager functions 
FindNexComponent and GetQMiifXjnentlnfo. Nevertheless, 
we need to link against the libniry qmilcliemJib, Ixxause tlie 
QuickTime Media Layer (QTMT.) supplies the (Component 
Manager implementation on Windows. So lets seleci the 
Scalings menu item in the Project menu and chtxxse die link 
tab. In die “ObjecL/lihrary^ modules" text box, add 
qtmlchent.lib, as shown in Figure S. 
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copy directly into our project, Wc can then call the 
getopt fvincLion aK sliown in Listing L 

Listing 1: Handling command-line options 

main 

while C CroyChar = getopt (atgc. argv, "e:^’)) -1) 

I 

switch (myChar) E 
case ^ e ^ ^ 

string2ostype(optarg, fitmyType): 
break ; 

} 

} 

argc -= optind: 
argv += optind; 


Figure 5: The Link tab 

We also need to specily the path to the directory iliat 
contains the file qtmlclieni.lih, since it's probably not in 
the default library paths. In die Categoiy pop-up mentis 
select Input and add a full or relative path to that 
directoiy. As you can see in Figure 6, IVe specified a 
relative path from the directory containing the listComps 
project file to the directoiy that contains the QTML 
iiliraries on my machine. 



Figure 6: The Input pane of the Link tab 

Handling Command-Line Options 

As you know, we waul to be able to specify one or 
more component types on the coninnind fine, to litiiit 
the displayed components to the specified type or 
types. In our Mac OS X tools, we used the system call 
geUipl Ui pnicess options specified on the command 
line. The getopt function is not part of the standard 
Windows Aids, hut there arc implementations availabte 
that work well on Windows. Indeed, some of the 
Microsoft Developer Network (MSDN) sample code 
includes the files getopt.c and getopt.h, which we can 


you may recall that in the previous article we 
provided a ciuick and dirty version of the string2ostype 
function. Let's take a moment to look at a belter version. 
The principal flaw with the original version was that it 
assumed that all strings specified on the command line 
would bQ exactly four characters in length. While most 
publicly defined values of type OSType are indeed 
exactly four characters in length, not all are. Listing 2 
provides a better implementation that handles strings of 
any length that is less than or equal to 4. 

Listing 2: Converting a string into an OSType 

Strings Of; type 

void £itrJng20Btype (const char ‘inString. OSType 
■^outType) 

f 

OSType type = 0: 
short i; 

for (I = Q: i < i++) E 

type <<” S: 
if (HnStrlng) [ 

type += (unfiigried char) ( *inString) ; 
iriStrlng+->-; 

1 

} 

*outType — type; 

f 

Note that it's perfecily tcgal for the string pa.ssed in to 
contain spaces, so our code can h^mdle strings like “eat “ 
(the component subtype of movie ini porters). The only 
restriction is that strings ccintaining sjiiaces need to be 
ciuoied on the command line, like this: 

listCompa e "eat " 

The listComps tool also needs to implement an 
osfypeZsrring function, st> that it can display the type, 
suinype, and manufacturer of any found component in a 
rc‘adal:>le form. Listing 3 shows a version of ostyi>e2string. 
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Listing 3: Converting an OSType into a string 


osty[>a2string 

static void os type 2 strings (OSType InType* char 
^outStrlng) 

f 

unsigned chartheChars[^]; 

unsigned char ‘tlieString - (unsigned char 
*)outString; 

unsigned char "thsCharPtr = theGhars: 
int i; 

// extract four character?! in big-endian order 
LheChars[0] Oxff & flnType >> 24) ! 

theCharsfl] ^ Oxff fit (InType >> 16): 

theChars[2] = Oxff bt (InType >> S) : 

thsCharsDJ = Oxff & (inXype) : 

for (i = 0: 1 <4: ±++) I 

1 f ( (“theCharPt r >“ * *) £(fii (‘theCharPtr <= 

126)) [ 

'theString++ = *theGharPtr: 

} else [ 

*theStrlng++ = ' ' ; 

) 

theCliarPtr4 i ; 

I 

‘theSLring = Or 

1 


You'll notice that any unprintable characters (that 
is, characters with ASCII values less ihan 32 or greater 
than 126) are replaced liy a space character Tor our 
present purposes, that's quite acceptable. For other 
purposes, however, it might be l>eUer to encxxJe 
unprintalde characters in stime way st) ihai their values 
are easily discernible. This refinement is left as an 
exercise for the reader. 


Finding Components 

Looping through all in.stalled components to find 
iliose with a spectfic coniporient type is really easy. All 
we need to do is use the functions 
FiiidNextConiponent and GetConiponentlnfo, as showm 
in Listing 4. Notice that we call InitializeQTML with a 
set of Hags appropriate for command-line tools, and 
that we later call TerminateQTML. 

Listing 4: Listing installed components 

main 

int main (int arge, char* argv[]) 
i 

chair myType[5J: 

char mySubType[5]: 

char myHi’^nu [5] ; 

char myChar: 

QSType myType •= OL: 


ComponentDescriptxon findGD = 

10, 0, 

D. 

0* 

01: 

CornponentDe^cription infoCD = 

10. 0. 

0. 

0. 

01 ; 

Companent ezomp NULL: 





// pn>t’css Ci>mni:iuil-Une cjptiuns 



")) 


while ((myChar " ^etopt(arge, 

argv * 

»'e: 

-1) 


I 


nwitch (myChai:} I 
c a e ■ e ' : 

slrlngZastype(optarg, SmyType); 
break: 

1 

1 

arge -= optind; 
argv += optind: 

#if 1TARGEr_OS_MAC 

InitializeQTMLCkInitialiKcQTMLNoSoundFlaR | 
klnltlalizeQTMLUseGDIFlag): 

#endif 

flndCD ^conipanentType = myType: 

findCa . cottiponentFlagsMask = cmpIsMissing; 

while (comp = FlndNextCompnnent(comp, SflndCD)) I 
GetComponentlnfotcoiiip, fitinfoCD, NULL, NULL, 

NULL): 

ostype2atrirLg (lnfoCD . componentType* myType) : 
ostype2string(infoCD.componentSubType, 
mySubType) : 

ostype2stringCdnfoGn.componentManufacturer * 
iiiyHanu) : 

printfC" Vt%a\n"* myType* mySubType, 

myManu); 

I 

#if 1TARGET_0S_MAG 
TerminateQTML(): 
f)endif 

return 0: 

1 

This impiementatitm does not support more than 
one —e option on the command line; removing that 
restrictic^n is alstj left as an exercise for the reader. 

MOVIE PLAYBACK 
IN THE TERMINAL 

In tile jMevious article, I mentioned that command- 
line tools are well-suited to handle tasks that do not 
require vi.sual movie data [o be displayed to the user 
Command-line tools can play audio just fine, and (as 
we’ve seen) they can create and modify QuickTime 
movies in virtually any way irnaginahie. They just can’t 
display any video data on the screen. 

Or can they? Consider our standard penguin movie, 
the last frame of which is shown once again in Figure 7. 
If we are ver>'^ c:lever, we can wTite a command-line tool 
that displays the movie in a Terminal window^ as in 
Figure 8. As you can see, the image i.s composed of ASCII 
characters. All we need to <lo i.s draw an image like this, 
erase the Terminal window, draw another image, and so 
fortle So, if we can do this erasing an^l drawing fast 
enough, and if we are willing to live widi images 
composed entirely of ASCII characters (or whatever else 
can be displayed in a Terminal window), w^e can indeed 
play QuickTime video using a command-line tool 
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How is this done? It's actually surprisingly simple. 
I'll step through the details in a moment, but in 
overview the process is tliis: open a QuickTime mt>vie 
and set it to draw to an offscreen graphics world. Play 
the movie by calling MCI die until the movie is done. 
Each time a frame is drawn into the offscreen graphics 
world, inspect each pixel that lies on an intersection 
of two lines in a w x h grid* wliere w and h are the 
width and height of the Terminal window. Convert the 
RGB value of that pixel to a relative lightness value 
(called the luminance of the pixel) and map that 
himinance value to one of these 23 characters: “ 
+=doL76x0s^^8%#@$”. Draw the character al the 
appropriate location on the Terminal window. Voila: 
Terminal-based movie playback. 

Opening and Running the Mcwie 

The first part of this process is easy. We alreatly know 
how to open a QuickTime movie file and load tlie movie 
from the hie. Iben we need to create an offscreen 
graphics world and .set the movie to draw' into it, as 
shown in Listing 5. 


Figure 7: A movie playing in 
an appUcaiion window 
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Figure H: A movie playing in a Terminal window 


Lislinj* 5: Selling up U» draw 

ma in 

R«!et rnyBoundeJ: 

GWocldPtr myGW = NULL; 

GetMovieBox CmyMovie, ^tnyBotands) ; 

QTNewGWorld [fitmyGW. k32ARGBPix€lFoi:inat, fidnyBounda , 
NULL, 

NULL, 0); 

if (myGW != NULL) I 

Lar.kFi xel s (GexGWorldFi xMap(myGW)) ; 

SetGWorIdfmyGW. NULL): 

tayMC = NewHovieCon tr oiler (myMovie, &iiiy Bounds. 

mcTopLettMovie I meNotVisible)r 
SetHovieGWorldCrayHovie. myGWp NULL): 
SetMovieAotive (tnyMovie, true) ; 


Notice that we create a new movie controller with the 
controller bar hidden. 

Once tliis is all aixomplished, we can start die movie 
playing, like this: 

MCDoAction(inyNC, mcActionP rerollAndPlay, (void 
Ofixed 1): 

And we can run the movie by continually calling 
MCIdle: 

do f 

MCIdle (oiyMC) : 
t while (1): 

Remember, though, lhai w'e want to do some 
work eacli time a frame is drawn into the offscreen 
graphics world, so we’ll also install a movie drawing- 
completion procedure: 
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SetMovieDrawingCompleteProc(myHovie, 
niovieDrawingCaliWhenChaiiged. 
DrawCompleteProc, (long)iiiyGW) : 

This drawing-LomplcLitm pKx;cdurc DrawComp:>leteProc 
will lie iiesponsible for lcx)king at tlie appropriate pixels in 
the offscreen graphics workl, converting them into 
characters, and drawling llie characters into tlie Teniuniil 
window, (For more information alx)ut movie drawing- 
completion proc'ediires, see “loaded'’ in MacTech, 
September 2002.) 

Converting Pixels to Ltuninaiice Values 

The pixels in llie offscreen graphics world contain 
RGB data. What we want to do is convert an RGB value 
into a luminance value, which is a me^isure of the 
lightness of the RGB value. Figure 9 shows the luminance 
color space. (Exciting, liuh?) 





Figure 9: The luminance color space 

The standard fonnula ftjr converting an RGB value 
into a liiininance value is this: 

y = (0,30 X R) + (0.59 X G) + (0,11 x B) 

In our cummand'line tuol, we'll approximate this 
value, for a given pixel color, with this code: 

R - (color & OxOOFFOOOO) >> 16: 

G - (color & OxOOOOFFOO) >> 8; 

B = (color (. OxOOOOOOFF) >> 0; 

Y = (R + (R << 2) + G + (G << 3) + (B + B)) >> 

The luminance values generated in this way will 

range from 0 to 255, where 0 is black and 255 is wliitc. 

Converting Luminance Values to Cliaracters 

In order to lie able to draw in a Terminal window, we 
need to convert these luminance values into ASCII 
characters. 1"he list of chantcters given earlier is ranked 
roughly in order of lightness, with characters to the left 
l^ieing lighter tlian those to the right: 

The code in listing 6 loatls an array witli tljese characters. 

Listing 6: Ijoading a conversion array 

main 

char convert[256]: 

char ‘table = " . . : Ilot7 ; 

for C± - 0: i < 256: i'+i) { 

cotivert[l] ^ tablefi ‘ surlenttable) / 256]: 

I 


Foi- instance, luminance values in the range 195 lo 204 
are map|ied to the ampersand (Notice that the first 
tliree characters in the table string are the space character, 
so that any luminance value less than or equal to 30 is 
mapped to the space cfiaracler.) 

Drawing Cliaraclers 

All tliat remaiiLS is to see how to traverse the offscreen 
gmphics world to grab pixels and draw the associated 
cliaraccer Into the: Terminal window. A couple of for loops 
will do the trick, as shown in Listing 7. 


Listing 7; Drawing characters 

Dr airfCoMp 1 ete Pr o a 

static pascal OSErr DrawCompleteProc 

(Movie theMqvle, long theRefCon) 

I 

^define WIDTE((float)(80)) 

#deflne HEIGHT ((float)(24)) 

int y, x: 

GWorldPtr myGW = (GWorldPtr)theRefCon: 

Rect THyBounds; 

P t r b a s eAd d r: 

long rowBytes: 

// gel ihc ink>rmaiik>n we need fmiti the tTWijrld 
GetP IxB otind s (GetGWo r Id PixMap (myGW) . ^myBound a ) : 
baaeAddr = GetPixBaseAddr (GetGWorldPixMap (ntyGW) } : 
rowBytes = GetPlxRowBytes(GetCWotidPlxMap(myGW))3 

// go to home position 
prlntf[0:0H". ESC)t 

// lor eueh rt>w 

for ty = 0: y < HEIGHT: ++y) ( 

long *p: 

// for cokmin 

p ^ (long*)(basaAddr + rowBytea * 

(long)(y • ((myBounds* bottom 

nyBonnds.top) / 

HEIGHT))); 

foe (x = 0: X < WIDTH: ++x) ( 
tJIht3 2 color: 

long Y. R. G. B: 

color = ‘(long ‘)((long)p + 4 ‘ 

(long)(x * (myBounds* right - 
myBounds,left) / 

WIDTH)): 

R = (color OxOOFFOOOO) >> 16: 

G = (color S OxOOOOFFOO) >> 8; 

B = (color 6c OxOOOOOOFF) >> 0: 

// convert to I um inace 

Y = {R + (R << 2) + G + (G << 3) + {B + B) ) 

» 4: 

// draw it 

putchar(convert[255 - Y]}: 


// ntott line 

put char ( ' \ii * ) ; 

I 

return noErr: 

I 

Notice iliat tlie cursor i.s moved lo the home position 
on the TerminaJ window (that is, the kxration at the top- 
left of the window) at the beginning of the callback 
procedure with this line of coder 
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printfC"%c{0:0H'\ ESC): 

By defaiill, the Temiina! application emulates a 
terminal of type xterm-color, which supports a superset 
of the slandartl vtlOO escape exxies. To move the cursor 
to tlie home position, ilierefore, we can send the 
sequence of characters Bsc-t-0-;-0-n, where ** Escapeis 
the ASCII value of die Rscape key: 

ESC27 

Similarly, when our tool first starts up, we want to 
erase the screen; we can do that like tliis: 

prinrfC"%ciOJV ESC): 

MOVIE PLAYBACK 
IN THE DOS CONSOLE 

So, weVe seen liow Lo l)uitd a cotmnand-iinc tool for 
Windows and how to “draw" movies inside a Terminal 
window on Mac OS X, We might naturally wonder 
whedier wc can combine these two accomplishincnls to 
do the same sort of movie drawing in the DOS console 
window. Indeed this is possible, but moving this code 
frtnn Mac OS X to Windows is not without complications. 
ITie main problem here is that tlie DOS console window 
dtxis nt)t support t!ie vtlOO escape codes tliat we rely 
upon lo move tlie cursor around the window and to clear 
tile window. Hapfiily, Window provides a set of functions 
that so-calied character-mode applications can use to 
control the cursor position and other charaaertstics of a 
console window. Once wc move to tliose functions, it's 
straightforward to generate movie frames like the one 
shown in Figure 10, 

Adjusting Header Files and Functiem Calls 

First things first, however. We need to do a little 
work to make our code suitably cross-platform, 'llie 
existing Mac OS X code includes only two header files: 

^Include <stdio,h> 

#iiit:lude <CluickTiine/Qult:kTime ,h> 

We need to adjust that so that the appropriate 
files are Included on each platform, like this: 
#iuclude <std±o,h> 

Hf TARGET_0S MAC 

i^Huclude <QiilckTimc/QulckTlTi!ie ,h> 

01 e G 

tfinclude <windows*h> 

#include <QTnL.h> 

#inciude <Moviea,h> 
iffinclude <Quickdraw,h> 

#include <QD0ffscreen.h> 

/■/include <fitring,h> 

//include <FixMath,h> 
i/endif 



Figure 10: A movie playing in a 
DOS console window 


If we try to compile and link our tool at this point, 
we'll discover that the GetPixBouncLs, GetPtxBaseAddr, 
and GeiFixRowByies functkms are not currently available 
on Windows, We can work around that limitation by 
directly accessing the fields of a PixMap stnicture, as 
.sht)wn in Listing B. 


Listing B: Getting the offscreen 
graphics w^orld information 


UrawComplctcProc 
//if TARGET_QS_MAC 

CetPixBounds{CetCWorldPixMaptoffWorld), fitbounds): 
baseAddr ^ 

GetPixBaseAddr CGetGWorldPiKMaptoffWorld)): 
rowBytes ” 

GetPt xRow^Bytes (GctGWorldP i xMap (offWor 1 d ) ) : 

//g 1 is g 

bounda = (**GetGWorldPlxMup(offWorld)3.bounds: 
baseAddr = (“"GetCWorldFlxMap(offWorld)),baseAddr; 
rowBytes ^ {**GetGWoridPixMap(offWorld)),rowSytes & 
0x3fff; 

//endif 


Note die addition of die value 0x3fff U) the value of 
the row Bytes field. It turns out dial die two high-order 
bits of that field are used for other purposes, so we need 
to mask them off if w'e read it direedy. 
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Finally, oi' course, we need U> make suic* to call 
InitializeQ'fML Ixffore we call EnterMovies and then call 
lermiruiieQ 1'ML oncx? we are done cirawing jiiovie frames, 

ConIroUing the Cursor 

As T mcniioned earlier, the DOS console window clocks 
not support the vtKK) escape sequences that we use to 
clear the window and position the cursor when ainning 
in a Terminal window on Mac OS X. Fortunately, we can 
make use tjf a set of console functions supported by 
Windows for managing input and output in character¬ 
mode applications — that is, an application that reads 
from the standard input and wriLcs to the standard oiilput 
or to the stand aril error. For [^resent purptjses, we need to 
he concerned only with writing characters to the stantlard 
output, which we can access using a HANDLE value: 

HANDLE hStdOut = GetStdHandleCSTO_GUTPUT„HANDLK): 


SetConeoieCuirsorPosition (hStdOut * coord) : 

//olso 

fprintf (stdoiit, ESC) ; 

#o.ndi f 

1 

Once we revise the existing code to use MoveCursor 
and CiearScreen, weVe done^ 

CONCLUSION 

Command-line tools are powerful, easy to write, and 
can provide several advantages cjver GUI-based 
applications, even when working with multimedia 
technologies like QuickTime, in this article and the 
previous one, weVe learned Ikjw to build QuickTime 
command-line tools on lx)t!i Mac OH X and on Windows. 
WeVe also taken a look at a very clever way to display the 
visual output of a movie inside a Terminal window or a 
DOS console window. 


We can, for instance, move tlie cursor to a specilied 
position by calling the SetConsoieCursorPosiiion function 
like this: 

SetConsoleCursJorPuiii tion thStdOut, ctsord) ; 

The coord parameter is a value of type COORD that 
sjxrcific.s the desired ltx:ation t>f the curson 

Listing 9 defines a function that we can call fvom 
either Windows code nr Mac OS X ctnle to move the 
cursor to a screen location. 


Listing 9: Setting tlie position of tlie cursor 

MoveCursor 

void MoveCursor (iot x, int y) 
i 

#ifdef TAItOET_DS_WlN3Z 
COORD coord; 

coord,X XI 
coord,Y “ y; 

SetConBoleCursorPositiondiStdOut, coord) ; 
l fie 

fprl!itf (stdout t ESC, y, x) : 

/jfendif 

I 


And Listing 10 defines a function that we can call to 
clear the console screen. On Windows, it simply fills the 
entire console screen with space chamciers. 


ijsting 10: Clearing the screen 

ClearScreen 

void ClearScreon (void) 
t 

lififdef TARGET_OS_WTN32 
COORD coord “ 10, 01; 

DWORD count: 

CONSaLli:_SCREEN_BUFFER_lNFO csbi: 

GetConsoleScreenBuffGrInfo(hStdOut, 6icsbi) : 
FillConeoleOutputCharacter(hStdOut, ' ' , 

C0hl.dwSize,X * csbi*dwSize*Y, coord, 

Scount); 


REFERENCES 

1‘he ASCII Movie Flayer command-line fool for 
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Tom Dowdy and is available at 
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xMovieBa.sics-daie.himL An enhanced version c)f this 
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MAC IN THE SHELL * by Edward Marczak 


The Terminal: Why? 

Love it or leave it! 


rr youVe ii bit more of a CLt veteran, 
bui are coming from a different 
platform, yon may .simply want U) jump 
down to 'Applc-fying the CLP. 

The Past 

1 work with a l>road spectrum of 
people that reign over technology in 
some way: from low-level hardware 
and software hackers, to networking 
experts, high-level FileMaker 
developers and GUI-rangcrs. These 
people have all learned, or come close 
to mastering, the c:c>mmand line, and 
are lx:tLer for it. Fve grown tip in a 
world of teletypes, Commodores, 
IBMs, Unix ix^xes, Apples, Netware 
servers, DOS and Windows 
environments. All of these machines 
started with a command line (and 
some ended there). In llie timeline of 
computing, the GUI was an 
afterthouglit. Not for the Mac, of 
course. But go back to an Apple H, (if 
you’ve got one laying around!) and 
you'll find tiiat w'hen you boot t»p, 
you're presented wath a T prompt and 
blinking cursor. Since diis 

enviroraiieni has been around so long 
in the Unix world, it is very^ well 
thought otit and very mature. But it's 
certainly one of the reasons people 
nouin-the-know would panic when 


they’d turn on a computer What do I do? IPs just 
sitting there blinking at me. Will 1 break it if 1 type the 
wrong thing? 

Tlie Mac OS tried to end all of that command line fear 
and present a giaphical iiiteiface at bool time that made 
jXfoplc feel comfortable, lliey did a grcrai job. But fast- 
forward to now, and Apple is .singing a slightly different tune. 
However, 1 find many people who are dyed-in-the-wool Mac 
users simply pretend that ’lerminal.app ckx-sn’t exist. 

The Present 

Here we are, imd tliere’s a command line in a Macintosh 
oiK*raiing system. Tliey just couldni ktx'p ii out of there. In 
all honesty, if it weatni in there'. I’d [)e writittg for a Linux 
mag^ii^ine rig! it now. As a led lie, and someone who likes 
(and many times needs) to troiibie.sliooL tliere was no 
bigger breath of fresh air when I llred ljj> TemiinaLapp 
under O.S X (10.0 lx:Ui, on my l^lwerlxK>k G3)- 1 

immediately iyped ‘ping 192.168.30. T for the network 1 wa.s 
on and .saw the replies come back. Wow, A|if>le did it. 
Keep Word. Keep Safari. Heck, even kevp Quake and Tron 
2.0,1 don't want a computer witliout acces,s to the comimmd 
line. But why? 

Terminally Acquainted 

1 mentioned the tx)wer iliai lies in the tenninal, what is 
lliat all alx>ut? Wliy is it so much more powerful? Firstly, you 
can typically type more quic^kly than you can mouse around. 
From time to titnc, I see fxxjplc launch Calcirlaior and click 
on each numl>er radier thkin use the numlx^r pad on their 
keylxxird. Doing dux jiLst doubles the lime retjuired. 
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Y ou’ve got a fancy Aqua GUT in front of you Cerrr...if you have the print 
magazine in front of you, look at your OS X box now), why would anyone 
use the command line? The command line!?! We’re here at MacTech 
because we use a Mac - the computer that popularized the GUT!!! The 
computer that said, “CLI? Gag me with a spoon!” (well, it was California in the 80’s). 
ITowever, despite Apple initially eschewing a command line altogctlier, the (XI has 
sumvecl. There’s a lot of power there, and OS X lets you tap into it. Furthermore, 
anyone can fire up a GUI utility and make some changes. But if you want to impress 
your date, you liave to learn some command line tricks. 


Secondly, people like to customize tlieir GUI (Til admit that 
wlien I work on oiiicr peoples machines and 1 find the dcKk 
on the left it drives me a bit!ratty.. J and GUIs change over 
lime (kK)k at the difterences going from IQ.O to 10.3), tlic CLI 
Is pretty mucli tlie CI.L Of ccnirsej it am be customized, but 
it’s usually done in such a way that it doesn’t change ttie way 
standard utilities am. lliird, it gives you a consistent way to 
adminisiraie a rrmchine. Hexmh, it gets you a little closer to 
the operations of the machine. Have you ever had tlie GUI 
Icx'k up on you? I liave. But everytliing else was still running 
and I wa.s able io conMjle in and reset tiie machine gracefully. 
Fourth, and most iinfKjrtantly, Apple lied to us! When OS X 
shipped, we weie told that we'd never have to see a 
command piximpt if' we didn’t w'ant to. OK, fXTluips not. Bui 
tliat stoy)pcd us from doing certain tilings witli our machines. 
While the entire situation Ls getting better, there are tilings you 
oin do in tlie terminal that there is simply no GUI ec|uivaleni 
for. With Those nt)tes, let’s gei ftmiiliar with Apple’s 
Teniiin;il,api>, starting with the configiiration tliat ships with 
OS X 10.3. 

Launch Terminal.app from /Appftc'artoas/Utikties/Terminal. 
Perluips die fact Uiat you find the app in 'Utilities’ rather than 
'Applic'atioas* Is someUiing tliat scares people right away, as 
if it's not .something one should nomially mn. Figure 1 shows 
approximately wliai die default terminal kxiks like. 



Figure I -A defaub temunalin 
OS X (Panther lOJJ) 

T say ’approximately’ because you will liavc some 
differences. Of cxiurse, the time of ycxir last login will be 
different. Unless youVe already changed it, your ’’message 
of the cLiy” will still read ''Welcome to Darwdn!” Tlie next line 
Ls your prompt, and it is generated at lun-time. 'Jack“ 
Kerouak' is the name of my machine (btxTiuse, if you must 
know, it’s a laptop and Fm always '’On die Road"), and you’ll 
have ihv. hcxsi name of your machine, Tlie shows my 
current patli, and by default, we .sum out in our home 
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dircaory (which is represented by the tilde), “gutiie'’ b die 
short niune of the acrount Tni logged in as (reniember: 
Quake and Tron 2.0!), and you'll have your user name. nit!n, 
diere it is, die cursor. Patiently waiting for you to type. 

Black text on opaque white. Boring. Lets go check our 
window sellings. Chcxising die ‘‘lemiinal->Window 
Settings..." menu gives us some ways to mcKlify the l<K>k 
and Iiehavior of the terminal. Figure 2 shows the first of 
several preferences that ciin Ix! changed in the 'Terminal 
Inspector’. 



Figure 2 - Terminal Window Settings 

Of course, these are all preferences, and are unique to 
eac:h individual. Vm going to share how 1 like my 
tenninal to lieliave, hut by all means, choose wliat [iiakes 
you most cojufortahle. 

The first set of preferences, '\sheir, gives us one 
ofition: choose what to do when the shell is done. 1 
think IVe only had one occasion to keep it at the default, 
so I Immediately change dtis to “Close only if the shell 
exited cleanly." 

Tlie "process" preferences work perfectly at “prompt 
Ix^fore closing window if there are processes other thanr", I 


like being prompted as little as possible for anything. Tlie 
“emulation" settings have gcxx! default,s, but may need to 
be tweaked for a particular ca.se. Tlie only thing 1 do here 
is check the “option click to position cursor" c:hecktx)x, 
despite actually using that hinction very little myself. 

‘Ihe “buffer" preferences only deserve one change: set 
the scrollbadc to 'unliinitccr. If’ you ever start compiling 
things fiom die command line, like a custom A^xiclie install, 
10,000 lines can disappe^tr pretty c]uickly. 

The “display” preferences are a little more fun, as their 
effccis can lx seen instantly. See figure 3 to get a look 
at this one. 


iO Terminal Inspector 1 


\ 

1 Display | « ] 


Sat Font... 


Cursor Style. 

Slock Q Blink 

C - Underline 
O I Vertical Bar 

Text: 

Monaco Regular 10.0 pt, _ 

Q Anti-aliasing 

25 Wide glyphs for Japanese/Chinese/etc. 
_ Wide glyphs count as 2 calymrts 

Enable blinking text 
M Enable drag copy f paste of text 

Character Set Encoding. 

' Unicode (UTF-8} TT| 


( Use Settings as Defaults ) 


Figure 3 - Display settings 


Gill me old-selicK>f but I want a blcK'^k cursor that blinks. 
De(Xfnding on the display Fm using, Fll sometimes diop the 
|X>ini size dow^n to 9. A quick tip for you: never turn on antf 
aliasing. Not only does it ltK)k terrible, it slovv.s Teniiinal.app 
tlown - ye.s, even more so thiin it starts out. This Is one valid 
gri[X? diat users of'Fenninal.app have. Its .speed Ls iiowhere 
near a re^l tenninal, a terminal ctiiulalor on other systems, 
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or even a Windows I^OS lx>x (or, for that matter VDOSfit Jx' 
under OS X, Man is that thing quick!). While tilings did get 
Ix^tter in l^antlier, Terminal is still Uic laggard, comparatively. 
But, hey, it looks great. 

Next up are tJie color prefs, wliich go hand in hand with 
tJie display prets. Have fun with this one: there are no 
wrong answers here. Come up with a style that is easy on 
your eyes and makes you fe^J at home. Agtiin, I gf> for the 
old-scliool comlx) of green on black, wiilt a pinch of ultm- 
modem transparency, f have one tennin;il combo of light- 
blue on dark-blue with a rather large font. Yes, tt kx)ks like 
a Coimnodore 64...* 

Stepping down l>rings us to the 'Window’ preferences. 
I tend to check t>ff just about eveiything in the lower-1laIf 
of the inspector window. Additionally, 1 like to make the 
terminal fairly large. Why liave text wrap if it doesn't 
have to? 

On ilie last page of options, the 'keyNrard' prefs allow 
one to alter the escape ecxlt^s that are sent to TerminaLapp 
for each key. Unless you liave a gieat need to change these 
(and you may), just leave these at their default seLtings, 

Now, I know you’ve Ixfen eyeing that latge “Use Settings 
as I>efaults'‘ button at the lx>tlom of the las|mtor window^ 
Well, if you have everything set the way yim like, dick itJ As 
s<K>n as you click it.*.,nothing happeas! Weil, OK, it does 
save your preferenc'es, but there is absolutely no feedliack 
that it done anything. Tor proof, quit lerminalapp and 
relaundt it. You should now have a terminal that defaults 
u> ytjur settings. Nice, eh? 

Now What? 

So, now we’ve made the temiinal pretty. Gwni. Besides 
suiring at a blinking cursor, now what? IxH’s siait with the 
basics. Again, you’ll see where you are in the filesystem 
bastxl on your prompt, which at first .should read Wc 
can start from tlie top to Ixest illustrate how this wt>rks. Tlie 
very top level of tlie filesystem is represetticd by V\ or, 'die 
rcx)t', TyjX! Yd /' and press enter. Hitis will Y'hange 
'd'irectory to You’re now at the lop level t:>f your disk 
tree, basicidly represented l>y “Comf^uter’' in the Finder. You 
should also notice that the temiinal prompt changed from 

to V”. Now, ty]X‘ ‘Yd Usens’* (atpirali/.*i!ion i.s important). 
You've moved into tlie familiar Users folden Let's see what’s 
in here, ‘fype “Is -I". Tins pnxiuccs a file Ti'.s’ting of the 
current directory. The ‘-1’ following the command is a switch 
that modifies die lieliavior of the command. In tills case, we 
want a 1'<ing list, ‘fry an 1s' without die ‘4’ switch and you’ll 
immediately .see the dilTerence (and, hopehilly, why 1 prefer 
the long list). 

So far so good, right? Nothing broke. Just rememlier, 
although die terminal brings you down to a lower level, 
there’s still a thin veneer Ixtw’een you and the OS. Not <|uiie 
the movie screen the GUI covers everything up widi, but 
still, a level of alistracdon exists. For exanipte, w hen you ask 


for a file li.sting by typing 'ls\ sure, you had lo do something 
manually. Directory information didn't just come flying cjiito 
your screen* But neither did you have to icl) tlie disk drive 
which blcxks to acress* So, as alway.s, unless you pour 
liquid onto your CPU, you’re not going to break anything. 

If yt)u feel comfortable with these [wo basic exercises, 
the command line just may lx for you! Naturally, tills 
dc>e.sn’t scratch ihe surface of w^hat can lie done via the CLT 
Not even die suiface of the smallest surfar^e tiiat exi.sts on the 
surface of die CU. 

Want More? 

Listing flics? 1 am do tliat in the Finder! Where’s die 
jxiwer? If you’re comfortable moving from directory to 
directory, we can kx>k at some more powerful ctimmands. 

Continuing with file rekitecl commands is important, as 
Unix treats just aliour everything as a file. Your disk drive? 
A file. Even the terminal display can lie treated as a file. 
Well get into dils deeper in fiiture coUimns, bul safe to stty, 
file manipulation is important. 

Back in the terminal, tyjx YdL Simply ty]ied by itself’, the 
change diratory command will bring you bic:k to your 
home directory. Now, type touch thefile.ixi*. In short, the 
touch command will eitlier CTcate a /.ero-length file, or, if’the 
name you spexify already exists, will ujxlate the date .stamp 
of that file to tlie current date and time. Get a dircxlory listing 
and see if your file Is there (1s -\\ rememl xr?), 

I’o copy tliat file, you use* the Yp’ command. 1’ype Yp 
thefile.LxL tlictxlierf iie.txl’. 5 points if you typed Y p thcT and 
hit lab to complete, iTiis will copy ‘theflle.txf to a file allied 
aheotherfile.txf* We am alter diese files as well as leaving 
copied them. Tliere are some holy wais in Unix-land as to 
the lx!si text editor in the world. I use vi. No ajxjlogies, 
that’s just wiiat i use. It will absolutely be the subject of a 
future a>kimn. If ytju know another text editor, fel free to 
use it here. 

Invoke vi (the Visual 'e’ditor) by lyjxng Vi iheotlieifile.txf 
(did ytHi use tab cTompleUoa^). Vbu1l lx* pre.sented with a 
blank-isli Icx)king scieen with tildes ninning tlown the lefi-lxind 
side. Figure 4 should mirror what yiai’ie ,scving. 
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F^ure 4 - vi with an empty file 

'nic tildes represent a nun-cxistcnt line, which, 
admittedly, can .sometimes get confusing if you^re editing a 
file with tildes. 111 just give the key presuses with a short 
tlescTiption, since Til cover vi in a future cxilumn case is 
important, by the way. Press 1' for ‘i’nsert — you’re now free 
to roam alx)ut the cabin. You should see a lx>Id ‘INSERT 
notification at tlie ix>ttt>m of the edit window, I'ype 
wliatever text you'd like. 1 just tyjx^d This is a lest/ When 
you’re done, press the e.sc'ape key on your keylx>aR!. Type 
T (coiofi), and you should see a “i” appear at the ]x)ttoni 
of the window you Ye editing in. Follow ihaf with 'wcf and 
press Enter. Tliat tells vi to *w'rite the file to disk and then 
‘quit. You’ll be dropped Irack to your prompt. 

rd like to delete tlie original file that we crejited. Hits 
is done with the *rm’ command. Now, just like files that you 
tlirow in die Trash via the Finder, Ix^ careful what you 
follow the 'rnf command with. Unlike the tnish, though, 
the files tlitit you list will be deleted iininediaiely. No trash, 
no undo. Gone. Tab completion can be great, or you ain 
use it without Uiinking after an rm command and nuke tlie 
wrong file. Be careful out tliere! Tlial said, type 'nil 
thefile.Lxt’ and, after checking yourself, press Enter You’ve 
just deleted 'tiicfile.ixi’. 

Hie ‘mv’ (move) command moves and renames files. 
Renaming, after all, is just moving a file within the same 
directory, lyp^’ ‘tnv thecXherfile.txt thelastfile.txt' and pre.ss 
Enter. ‘theotherfile.txF jusi l>ccanie ‘thelastfile.txtl 
To bring this all home, w^e can o|xn tlie file we crejjted in 
die Finder. Switch to the finder, and open your home 
directory. 10 fxiinLs if youVe left a Finder window of your 
home directory open diis whole time and watc'hed all of 
these machinations rake place. You should see a text file 
named ‘ihelastfile.txt’ sitting there. If you double click it, it 
should simply launch TextEdit. Check our our handiwork 
In Figure 5. 



Figure 5 - TextEdit displaying our file 

While this was al! a hit contrived and trivial, I'm sure you 
can imagine some automated routines that compile 
information, save it to a file, and then display it via TextEdit 
or any other pnjgram. In fad, lefs try scjmething a little 
more serious. 

Hop back over to tenninal. Fire up vi or your favfirite 
cdikjr. ril give insinictioas for vL 'I'ype Td’ so you're sure 
you are in your lionic diret:t,ory'. Type ‘vi showdi.sh‘. 'I'his 
will Ix-^ a bash scrijX that will show us a rL‘fX)rt of disk 
infijnnation for our main disk and display it in TextEdit. Pres.s 
'i*, and you 11 again see the Ixjid ‘INSERT along die Ixittoiii of 
your editor window. Ty[x die following exaciJy: 

//1 /b1 n/bajsh 

diskutil info /dev/diskO > /tmp/di.gklisl. ixt 
open /trap/diskiist. txt 

Save tills file by pres.sing esc'ape, typing Iwq’ and pressing 
Enter Tyjx 'chintx.! 7(X) showdi.sh' and press enter. Hiis 
gives this script the ability to Ix^ executed (run) as a prognim 
(ok, this is a bit simplified, hut without tliis cominand, iliLs 
script Is just a text file). 

liefore we nin this, let tiie note dial you'll need ro be an 
admin for this to work. When yoifre ready, type 
"./sliawdi.sir to nin our Thafs dot, forward-slash, 

showdi.sh. Don’t foiget die lalMximpletitin for this one! 
Pness enter. In about tw'o seconds, TextEdit will pop up with 
a sliori re|X)n alxxit our disk ‘diskOI See figuie 6 for what 
this looks like. 


ii A. 


Ifci Tjif Cfifii 

iTLnv iiS itiL iji] It-iJ. 


49 











Figure 6 - Our showdLsh script iti action. 

Again, details of this scTipt and all ihc conunands we 
typed wiW ix* covered in hilure artidcs. 

Apple-Fying The CLI 

11’ yoLfre a iTioie seasoned user, you may have ski]>peti 
some oi' the earlier hits of tliis article* You already know your 
way aix:>und. You know wliai a hard link is and ycxi know 
liow to use it. You like to fire u]> lenninalapp, dive in and 
never ltx)k Ixiek. Some things that nmy escajx** you if you're 
coming frt)m another envirtmment: 

Ifyotlie a [>ig xtemi person, there are some notable 
differences liere. Mainly: 

• Teniiinalap[i dcx*^sn t honor witches (like thai allow you 
to customize the Terminal at app laundr You have to use 
■femiinal Inspeclnr as dcscrilxxl earlier. 

• $TERM defaults to *‘xterni“Cok)r”, which Ls greiJt on your own 
system, hut can throw lemote systems nc3i ready fur it. 

• You can't laimch a new temiinal Tuxii iJie a>nijn:^ind line! Gcx)fy, 
eh? You just have to slap Apple-N* 

However, desfxur not. 'ihere are some really nice Temiinal 
attrihute>s. Such as: 

• You can set your window title on tlx* fly (lliougli escape 
sequences and an *echo’). 

• Split-screen \m (see figure 4) 

• Tal> cojiipletion. 1 couldn't survive without lab a)niplction. 

• Integration with the Services menu. 


We’ll step thR)ugh tlic'se bits lieix*. 

If you're fc^aily into custcamiziition and w^ant k? set your 
window' title from the command line, or liavc a script tliiit 
uses tills functionality, you am! Try tills: 
echo -n -e ^033lO;Title\007" 

The “\033'' is the 'esc'ape' key, needed to start an ANSI 
esc'iipe sequence. Follow this code with tile title you want, 
and close it out witfi a 

You can split your temiinal liorizontally by clicking ilie 
‘broken square' icon in the upper riglu-hand comer of the 
terminal window. This w ill display a horizontal bar that can 
he adjusted to size tlie windows as needed. Figure 4 shows 
a sjilit screen with a file listing in tlie upper sj)lit, and top' 
ainning in the lower pane. While this functionality is 
useful, 1 use it very Liltle. Tlie reason for that will be part 
of a future article. 



Figure 7 - Tenninal with spik-screen activated 


Tab completionin All Unix veterans know some kind 
of completion. And wlien you start using it, you'U never 
give it up. For you liard-core Unix jx^ople: OS X has 
standard Lab-completion, 'miff said. If you don't know^ 
whai this is, here's an illustration: once again, type ‘cd /' 
to get to the hkk. Now, type *cd Li' and then press the 
‘tab’ key. .Suddenly, the line you're working on fills itself 
out (to become 'cd Library/'). Now, tyfie 'W and a 
‘tab\..bcK)m! Ychj now have ‘cd Library/WebServef. This 
cuts down on the keystrokes you need to type by a iiuge 
faaor. Sometimes, your hit Tab' and you simply hear a 
beep. 'Iliat’s either because notJiing matches, or more 
than one thing matches. As an example, if you still have 
Classic loaded on your machine, and you type ‘cd /Sy' 
and press tab, you get a partial completion (to ‘System') 
and a beep. If yr>u pre.ss Tab' again, the shell will show^ 
you the matches. In this particular case, you can either 
accept liie match of ‘System' (bec ause it's valid), or type 
‘\ “ (backslash-space) and press Tab' again to have tiie 
sliell complete the next match. The more you use it, the 
more you'U get the hang of it. Just don’t pracTice on 
Windows XP, which now supports tab completion, but 
has a really poor suhslituie of it. 
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OS X lias a ^n.'at fL^aturtr in I lie Services Menu - wliich 
sometine ebe can cover much l^eiter than 1 can. 
Terminal.app has nice integnition witii tills menu. I Tighlighi 
stKiie text, anti then go cfieck ■iermin;ih>Seivices. Tlieieb 
st:>me nice Punctioriality lIk-tc. sutrh as: Send to nixiil, create 
new .sticky note, create new' window in TcxlFxlit, and more. 

One last note for those so inclined: You should also lake 
a Itxik at die actLial Tenniruil preferences, accessed through 
the ‘'[erminal->Frefeiences' window. Tills will allow you to 
define sevenii aspects alx>Lit your reniiinal dial can help out 
in situations where you're tiytng to emulate a diflereni 
terminal, lie aware dial changing the shell in the *fenninal 
preferences stTC*en wall only change it tor shells I:mnt*hed 
dtrough Terminal.app. Alternate terminals (see Ixrlow) iind 
ttys from remote sessions, such its leinct or ssh, use die shell 
defined in your user prohlc. Hie gtxxJ old *c:hsh’ works for 
this (iiirpoise, or, if you want to get all OS X alxxil it, change 
the shell key in your Neilnfb record. 

The Future 

Well, naturally, 1 can't predid die liiiure. Bui 1 am tell 
you that a text, comtnand line interface w^ill Ix" with us for 
some time to coiiie. Tliere are new' applications showing ttp 
all die time diiit aie CLl tiiily. Ytni can find MP3 players. 
Gnuiella c lients, games, w^eh browsers, e-mail programs [ind 
more, dial are all CLl driven. Although the Mac certainly 
needs ii less than odier pladbrms, wliich may still lx text- 
driven by nature, le;iniiiig the CU Ls of great Ixnellt. It helps 
you troublesluKit a Mac wltli a Ixxit tiiiie problem, and it can 
help you automate your mtKliint' in Ixner cirainisiances, 
fd be remiss if 1 didn’t mention dial Apple s Tcrminal.app 
isn’t the only terminal for OS X! lliere arc tw^o more that I’m 
awaie of GLTenn takers ifie speed issue head on. All dispkiy 
(s done dirough OpenGL, It also suppons X .Ixlf fonts. 


Hieie may lx arses where Tenmnal.app doesnl handle some 
gnipluc^s issue airrectly. Chances are, GLTenn will handle 
those cases just fine. Find it at http://wwv^/\pollet,ncl/CjUcmi 

Tlie second Icnninal allernative i^s flerm, i'leini shtxiLs 
for foitures. If you s|ietid time in KDE or Gnome, check out 
ITeon, It has support fVir lxx>km;irks (saving session settings), 
talTs, an anii-itllc function and more. You can find it at 
http: //itemi. sourcefoige. net. 

The End 

This is the ejid,. .of this column only (wlicw'l) Obviously, 
I’m a huge proponent of the CI.I, Now, fm not .so .stuhixim that 
I use the Teniiiii:il for everyihing! After all, I am a Mac user! 

PS 

Anyone who read my 'Unix in OS X’ article diat appaired 
in die December MacTech should note ihai 1 did fuid the* 
stilution to making an OS X 10.3.4 through 10.3.7 macliine 
accc[>t remote syslog c'onnections. in your /etc/rc file, you 
need to alter die syslog invtxalion to read: 

/iLsr/.sliin/syslogd iy2J68. 1. lOO/24:\* -m 0 

wliere die IP address and niiisk tin CIDR notation) represcmi 

tlie interface to listen on. 

Unfnrtumitely, this incantatioti lias clianged a few times and 
the syslog binary is out of sync with the man fxige* Slay 
tuned for any changers lo remote logging!" 

Yill 



About The Author 

when he's nol helping the clients of Xodioiope, 
you'll find Ed Mornak on Ihe grid, fighling for /he users. 
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By Paul Day 


Securing 

Mac OS X 

A guide to security hardening for 

Mac OS 10.3 


INTRODUCTION 

article tirvers niimeruu.s meilK>cls to harden Apple's 
Mac OS X, from lx)ili a kx.'ul user and network perspective. It is 
priiiiiirily aimed at the single-tiser MacinUxsh client machine 
owned and used Ity a security ctrnscious user. Us methcxLs on 
he ecjually applied lo a multi-user nrmchine^ however there arc 
numcrt>us additional security risks presented the moment a Mac 
OS X machine Is made mtjlti-nser 

BACKGROUND 

Apple’s MacOS has taken a dramatic change from its 
predecessors {/'MacOS Clas,sic”), introducing numerous parrs 
of FreeBSD, NeXT and the Mach (Darwin) kernel into the 
MacOS environment. 

“Keep others out - Witli Mac OS X, you may never need to 
worry alxHit H>1’HUL1NK 

"http://www.apple,com.au/macosx/features/security/ “ security again.'' 

A default install of Mac OS X is one of the mure secure Unix 
operating systems from a network-security |X)int of view, with 
no network services open by default However, there are still 
numerous drawbacks to its local and network security wliich 
can be addressed by the administrator of the machine. 


ROOT USAGE 

By default, the root user account within Mac OS X has 
its password disabled. Throughout this paper, you are 
required to run a command “as root". 'Fhe method of doing 
this is left up to the reader, but possibilities (in order of 
considered strength) include: 

• sudo <command> as a normal admin user. 

• sudo /bin/bash as a normal admin ust.T and then running the 
commands. 

• Hnahling Uie root account password, using su to start a shell 
as root and then running the commands. 

LOCAL SECURITY 

Tile following section covets numerous methtKls to harden 
security within Mac OS X From a kx:al user perspective: 

■ With local [ihysical access to the niuichine via its console. 
With interaaive local access to die machine via metliods 
such as Secure Shell (SSH) or Apple Remote Desktop (ARD). 
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THE LOGIN WINDOW 


TIic following mdudes instructions to enable and lock down 
tlie GUI login window. By default, Mac OS X auiomaiically logs in 
rather thim fomng the user to autheniicuc at a login window. 

Enabling and locking down the Login Window 

To enable the GUI login window, disable password hhits, 
access to shiiulown/restan coniroLs and automatic login you atn 
edit the file /Ubrary/Pfaferences/com. apple Jog in wi ndow.pl isf as r(K>t 
or use the System Preferences Accounts pane as fofkjws: 

• Apple menu -> System Preferences -> Accounts -> Login options 
-> Display Login Windows as -> Name and Password 

• Uncheck Automatically log in as: 

• Check Hide the Sleep, Restart and Shut Down buttons 

• Unc heck Enable fast users switching if not used 
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Securing Login Windows options 

Fast user switching is handy on a multi-user mactiinc, 
however on a single-tiser machine where it is never used, it Is 
an unnecessary risk (eg, An Apple Remote Desktop rtK>t 
compromise used Fast User Switching). 

To disable automatic login on a global basis: 

• Apple menu -> System Preferences -> Security 

• Check Disable automatic login 
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Disabling automatic login 

To enable a text message to displayerl as part of the 
login window, you will need to edit tlie file 
/Librdry/PreferencesA:om.apple.k>ginwindow.j)list as r€X>t. llie 
file may look like: 

<?XBii version**^! .O’* eiiccidinfi=’*UTF-H”7> 

<!TX)CTrPE pliGt PUBLIC "-//Apple Computer//iJTU PLiST 
1.0//RN" "Bttp: //ww. apple .conj/DTDe/ PropertyList -1.0. dttl") 
<plli^l versiQn=''I. D"> 

<dict> 

<key>DisfibieConaoleAccesa</koy> 

<true/> 

< key) Lo gi nwi n dowTe jt t < / key) 

<string>Authocized users only.</string) 

Note die <string> line Ix^low llie key Loginwindow'lext. 
Insen ihe text you would like to appear in the Login Window 
liere and finish it with the </siring>. 

Changing passwords 

It is good security practice to regularly change your 
password, especially as the login windtiw does not presently 
make of mlockO or encrypted swap and a user with 
phy.slcaiyFCK)t access to the macliine could potentially get your 
login password from the swap files. 

• Apple Menu -> System Preferences -> Accounts 

• Select your username -> Select the Password field 

• If asked, type in your current password -> Type in a new 
password -> verify the new password 

SCREENSAVER 

Mac OS X comes with a built-in screen-saver that includes 
password locking. This should be enabled to skip s<imcone 
from using your computer when you stejy away from it. 
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To enalile the screen-saver: 

• Apple menu -> System Preferences -> Desktop & Screensaver -> 
Screen Saver -> (Select a .screen-^saver) 

• Change Start screen saver to 3 niinutc.s 

To require a pawKworeJ to exit the screen saver: 

• Apple *> System Preferences -> Security 

• Check Require password to wake this computer from sleep or 
screen saver 


Keychain stores its passwords on disk in an encrypted form 
and it is diffit:uiL for a non-rtK>t user to sniff a password between 
applic-ations. However, similar to the login Window, it is 
possible to get hold of a user's Keychain password with root or 
physical access to a machine. The best practice is to remember 
your passwords without storing them. 

There are a number of steps you can take to niinimisc your 
risk when using Keychain Access. To enaf)le Keychain 
automatic ltx:king: 
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Enabling password locking 
within screen saver 


You may also wish to enable an active-corner to disable the 
screensaver for times you don't want it to come on afier 
inactivity (e,g. while w'atching a movie) and, more importantly, 
to instantly load the screensaver: 

• Apple menu -> System Preferences -> Desktop & Screensaver -> 
Screen Saver -> Hot Comers 

• Choose a corner, e.g. bottom right -> Disable Screen Saver 

• Ch(K)se a corner, eg, top right -> Start Screen Saver 


Antw* Siy^ftftCdtnfert 
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Enabling a screen saver corner 
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KEYCHAIN 

Mac OS X includes a utility for c'aching commonly used 
passwords. It should he noted that there is always a risk witli 
caching a password on disk in any form, regardless of the 
software used. 


* Applications -> Utilities -> Keychain Access -> Edit -> Change settings 
for Keychain login” 

* Check Lock after 

* Change minutes of inactivity to 6 minutes 

* Check Lock when sleeping 

* Save 


Change Keychain Settings 


“login" Keychaifi Settings 

Lock after ^ Q minutes of inactivity 
M Lock when sleeping 


Configure Keychain Access security settings 

By defaiili, Mac OS X makes your Keychain password the 
same as your login password. It is gcx.)cl practice to keep each 
password dilTerent: 

• Edit -> Change Password for Keychain '"login" 

• Type in your airreni u.scr's login pas,sword 

• Type in a new different password tw^ice 

• OK 


Change Keychain Password 


Enier ^ new password for keychain "login*'. 

Imi^ 


Current Pessword: 
New Password: 
Verify: 

Dnatli 


© © 


( Cancel ) ( QK ) 


Changing your Keychain password 
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When you’re in the world! 
what do you do for an encore? 



* Strong software protecdon based on AES 
St RSA algorithms 


Register at WfWW.HaspHLcoTti/Events 
to attend a SW DRM Briefing and 
Hound table commg to a dty near you! 


• Innovative licensing models implemented 
independently of protecdon 

• Single and multi-user license management 

• Intuitive, easy-to^use tools and 
API integration 

• Highly reliable, compact, cross-platform key 


HASP® 

REINVENTING SOFTWARE PROTECTION & LICENSING. 


\ 

* Aladdin is the #1 vendor in the software 
licensing authentication tokens market 
for 2002 and 2003. 


I — IOC eulletin #31432,2004 1 

Introducing HASP HI—the next generation in hardware-based security to protect ^' 
your software revenues and intellectual property. Implement the strongest security 
from the undisputed leader, Aladdin. Secure it once. Secure it right. 


See for yourself with "Software Protection: 1-2'3” the online demo, or get 
your FREE developer's kit at HaspHL.com/Encore. 

North America: 1-800-562-2543,847-81 S-SBOfl oi HASf.u$®«AladdlR.coin International: +972-3.636-2222 or;HASP®eAladdin.com 
UK: HA58.uk@eAladdln.com Germany: HA5P.(le@eAiaddtn.com Benelux: HASP.nl@eAladcliii.com France: HA5P.fr@eAtaddin.com 
Spain: HASP.es®Al0ddln.cam Asia Pacific: HA5P.asi8lA|$ldjn:(^ Japan: HASP.jp@Aladdin.cotn 
■ ■; . ...t irsisiij, Litt *ngli!s,refl!'V«i;.'liMrfi'i •et elAliiitilinroarfWgf 5yrh’tns.'| til i 


Aladdin 

SECUnikG THE GtiOBAL VILLAGE 


PATCHING 


As is generally the case, you should keep your Mac OS X 
mac’liine regularly patched vviUi die latest software updates, 
which often include security fixes. 

Apple Software Update 

Mac OS X includes an automatic software update tool to 
patch the majority of Apple applications. Software Update t)ften 
includes important security updates which should he applied to 
your machine. The tool automatically checks what updates are 
availal>le and, with major upgrades, can download patches 
rather than full installations, to minimize the ainoum 
downloaded. 


Saltwwre uprfaie 


C<s 


C^tcleJnfl for n**r 




( Qiiit > imttit _; 

Software Update 

ii is iiest to <x)nfigure Software Update to automatically 
check ft>r updates on a frequent basis: 

* Apple Menu -> System Preferences -> Software Updates 
■ Check Check for updates 

* Choose Daily from drop<lown menu. 

000 _Softwajry UPgtww 

^ UIHWJUI Sound NftWdric flartup Oink 

^ . [ Mid«» S tfftwttfm ■ imtalltd - 

SoftWNirt Up^» cl»Kks for new tud updated versions of you r software boxed on 
Information about your computer and current software. 

WfOttekforuodaiM ' omly Rgl 

□ OoHAtood kmpoftant updaut in tbt baclMiround 

¥ou will be Pw updHH ceody (o b«JmuntO 

( ChockWow T 

Uu Ch«k; No now softwWnt update wtr« avtiUblO. 

Tufarx(M«ni 


Your maciline will now check with Apple for s<jfLware 
updates once a day and nr ally you when there are new ones 
ready for downk)ad. 

Software update can also be run from the command line as 
root with: 


/usti fibin/eoftwareapdate -1a 
and scheduled to run with: 

/usr/Ebin/softwareupdate -schedule on 

Software update for Fink 

If you are using tite I'ink pLtckaguig systems, you may also 
wish to have the following In root'vS cliiily cronuif) or in /etc/daily: 

/sv/bin/fink -y seltupdate 
/sw/bin/fink -y selfupdate-eva 
/sw/bln/fink -y update-all 
/sw/bin/fink y scanpackages 
/sw/biii/fink y index 
/sw/bln/fink 'y cleanup 
/sv/bin/apt-get -y update 
/sv/bin/apt-get -y inatall fink 
/siif/bin/apt'get -y upgrade 
/sw/bin/apt-get -y dist-upgrade 
/Ew/bin/apt get y elean 
/sw/bin/apt get y autoclean 
/aw/bin/apt -get -y check 


Other updates 

Many other major software packages include their own 
autonuiic software update utilities. 'Ibesc may l>e separate 
utilities such as MicrosofVs AutoUpdaie: 


# © Microsolt AmoUiKlaw _ 

UkjtiXGfl AuiDUpdate checks for new and updated versions of your Miciosofi 
software- See Help Idf more information about bow AutoUpdite worts. 

Kow would you Irkc to check for software updales? 

0 Manuallv 
0 Automoticallv 

Check for Updates ^ 

niectring occurs only when yon Km t nefwwt ctnuwaion 

C Neip~ 3 f etMfc Wlfpdo^ 

Microsoft AutoUpdate 

Odier packages, such as Omni's OmniCiPaffle. include 
automatic updating from within the software package itself: 


Software Update, automatically 
check for updates 
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taiWMl Dfgrt<n| Tanli T«mitJl« OuUing lni[»it K Imp art Updjtc 

OmDfdrjrnt un automaticiHv uk your lnterTi«t conmcliofi lo chttV 
for new ^itd Lr 0 da»d ver(iwit of ICifwdting occLtn anlv when a 
network conncctton ii Ktiw.} 

Check for upd«t»: 

0 Auiorfiixjainv 

Automatic checking occurs: ^thily 

( Check tof Update* Wo^) 

0 ( fieset ) 

OmniGrafne automatic software updote 

You are eneouragcd to use lliese tools wliereever possible, 
however specifics are beyond the scope of this paper. 

FILE ENCRYPTION 

Ihere are number of major ways of encryptin^^ within Mac 
OS K By hir, l.he mtxsL sccur.‘ rneUiod is lo use* GnuPG; however 
Apfile's FileVault and disk images aie mudi moie convenient- 

RIeVault ond encrypted volumes 

Apple's FileVaull is an inipleinentation of its AES-enay(3ted 
vcxlutne images that autoniatiaiUy mount as your home direaory as 
you login and decrypi/enctypt data on tlie fly. Knexypung data on 
your hard-drive is notJiing new but MacOS 10.3 is tiie fiist Unix to 
integrate deciy[)lian and mounting seamlessly into tlie system. From 
the point-of-view of the user and appliaitions, there is no 
encryption taking place, Ijeyond a sligiil performance liit. 

To enable FileVault: 

■ Apple menu -> System Preferences -> Security 
• Turn on FifeVault 
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Enabling FileVauU 



Depemling on the amount of data in your hcane directory^ it 
may take a wliile to convert it into a FileVault- It should be noted 
liere tliat after enciypting your home direaory, it is not securely 
deleted. It is simply unlinked and hence cx>uld be rtxxwered. 

You may also wish to set a master password for the 
computer. The master password should be different to your 
login (and hence FileVauIt) password and can be used lo 
decrypt your FileVaull in the case of password loss. 

From a security [x>ini of view, keep in mind that due to a 
lack of mlockO in l-ileVault, an attacker with physical or root 
access can gain your FileVault password and access to ycjur 
encrypted files. 

EiKrypted AES disk image 

Apple’s encrypted disk images don’t offer the seamless 
mounting of FileVault, but do still encrypt on the fly as you write 
to them. To create an encrypted disk image: 

• Applications -> Utilities -> Disk Utility 

• New Image 

• Save as -> Choose a name for the file system and image file name 

• Where -> ChcKise a location to save the image file 

■ Size -> Choose a maximum size to allow the image to grow to 

• Encryption -> Choose AES-12B 

• Format -> Sparse Disk Image 

• Create -> Enter and Verify password 

• Check or uncheck Remember password (add to Keychain) 


Save As: | iesUfwage 1 Q 

Where: f]^ Desktop 


SiHM 'SQOMft 

EhOYpfiOfi ■ AESr' 1 ^ 8 : (riK:ommtwted> _ ^ 

Form«; f sparse disk tmaqV 


( Cancel ) ( £fe^ } 

Creating an encrypted sparse image 

Tt is no less secure to save a disk image's password in the 
Keychain as Api>le’s SecurityAgent (the program that takes the 
password from the user) suffei^ from tlie same vulnerability a-s 
Keychain itself. 

Once you have created the disk image, you can mount it 
by double-clicking on it in irinder It will then mount as 
A/oiumes/-dmage file system name> and an icon will appear on 
your desktop. 

OpenssI encrypted files 

Anoilicr alternative is using openssl and a password to 
encrypt a file. OpenssI does not employ asymmetric keys (i.e. a 
private and public key) and allows you to just as.sign a single 
password to the enc.rypled file. However, openssl under Mac OS 
X may suffer a similar vulnerability to FileVault. 
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To encrypt a file using openssl and the (128bit) blowfish 
encryption algorithm: 

QpetisBl bf -salt *in <plain fiie> out <encrypted file> 

Then securely remove the origiiial file: 

arm -fn (input file) 

Finally, dccryp)t the file back: 

openssl bf d -in (encrypted file> out (plain file) 

A script to encrypt an entire directory could be; 

jl/blJsh 

I Script to encrypt a dir and securely remove it. 

if [ Sif -It 1 1 : then 

echo "Usage: $0 dir_to_encrypt" 
exit 1 
fl 

file“^echo $1 j sed s/"\/"//g | sed 
dir“$l 

echo -n "Checking if $dlr ectually exists,** " 

If [ d $dir ] : then 
echo 

echo "No* Exiting." 
exit 1 
fi 

echo n "Checking to make sure $file*tat»gz.bf doesnH 
already exist... " 
if [ e tar*gK.bf 1 : then 

# exists 

echo "Yes* Exiting." 
exit 1 
else 

j? doesn't exist 
echo "No." 
fi 

echo -n "Checking to make sure tempfile doesn^t already 
exist.., " 

If [ ‘6 temp*tar,gx 1 t then 

echo "Yes. Exiting. You need to remove temp.tar.gx." 
exit I 
else 

echo "No*" 
fl 

echo "Tarring up directory*.." 
tar ‘xcvf temp.tar*gx $dlr 
echo "Done." 

echo "Encrypting directory..." 

openssl bf salt in temp*tar»gx out $file.tar*gx,bf 

echo "Done." 

echo 

echo "Here is what the encrypted archive looks like:" 

is -1 $file*tar.gz,bf 

echo 

echo "Is It safe to securely reraave $dir? (y)/n" 
read remove 

If [ x$reiDDve " xn ] | [ [ x$removG = xN ]: then 

echo "Ok, exiting without removing it." 
srni -fm temp.tar.gx 
exit 0 
else 

echo "Ok* removing $dlr securely and exiting*.*" 
arm -rfm Sdir 
arm fm temp.tat.gz 
echo "Done" 
fi 

exit 

Finally, a matcliing script to decrypt tlie archive back U) a 
direciory in the current working direaory; 

#! /bin/sh 


# Script to decrypt a tai.gz.bf archive 

if [ -it I J : then 

echo "Usage: $0 archive_to_decrypt" 
exit 1 
fl 

Elle«$l 

dir='echo $1 1 cut -d -f 1' 
echo 'o "Checking If $file actually exists... " 
if t -f $file ] ; then 
echo "Yes." 
else 

echo "No, Exiting." 
exit 1 
fi 

echo n "Checking to make sure $dir doesn't already exist... 

if I -f Sdir J : then 
if exists 

echo "Yes, Exiting," 
exit I 
else 

# doesn't exist 
echo "No." 
fi 

echo -n "Checking to make sure tempfile doesn*t already 
exist-.. " 

If [ -0 temp*tar.gz ] : then 

echo "Yes* Exiting* You need to remove temp *tar,gz." 
exit 1 
else 

echo "No," 
fl 

echo "Decrypting..." 

openssl bf -salt d In Sfile out tciiip,tar*gz 

echo "Untarring..," 

tat zxvf teap*tat.gs 

echo "CIleaaing up*,." 

rra temp.tar.gz 

echo "Ail done*" 

echo 

exit 


GfluPG encrypted files 

Gnu Privacy Gihird (an open source version of PGP) allows 
yt>u to encrypi a file using a public key* You would then lx.‘ al)le 
to decrypt tlie file at a later date using the private key and the 
key's pa*ssphrase. 

Unlike FiieVaull* GniiPG imke.s use of mkx'kO and hence 
doesn't suffer from the same vulnerability* However, it has had 
a number of its own security concerns* 

Thi.s section a.ssumes yon have already managed lo install 
GnuPG and have created yourself a public/private key-pair. 
Numerous resources to iielp you can 1^ found on die web. To 
llien encrypt a file, you would use: 

gpg -r (your key's name) ■-encrypt-flies (filename) 

This will create the file fitenajne.gpg. You should securely 
remove the original plain-text with: 

atm -fm (filename> 

Apple's srm is included with OS 10.3 (some users may 
prefer using die GNU fileuiils rm). Sttiiilar to die GUN utility 
shred, snn over“write,s the file 7 times widi random data before 
unlinking it from the file-system. 

To then decrypt die encrypted file: 

gpg r (your key’s name) ■decrypt - files (filename.gpg > 
filename 
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gpg can also used with jtist a symmetric; cipher and a 
single pLissworti by using the -c switch. 

Tlic two scripls in tlte section REF _Ref87526463 \p \h 
MERGEFORMAT above cover en/decrypting entire directories 
and could lx easily rntxlified to use gpg instead of o[xnssL 

CONFIGURING OPEN FIRMWARE 
PASSWORD 

Configuring an Open Firmware (OF) pas.sworcl on your 
Mac will disable any tx>ot keys when your niucliine is booling. 
'Ihis means a user with physical access lo the machine is unable 
to bool ihe machine into target-disk mode, from CD-ROM or 
into single-user mode. 

\hc simplest way to set an OF passwoid Ls to use Apple's 
utility, which can be Ibimcl at < HYPEld^lNK 
''hilp://www,upplc.c(>in/dowTi[oads/tnaaxsx/apple/openfirmwarep 
assword.himl" htlp://www.apple,com/dDwnlo;ids/Mac OS 
X/apple/openFirmwarepiissword.html>, 

Tl\e utility asks for your user pa.ssword m ihai if can nin 
sudo nvram to set the OF password and then asLs for a 
pa.ssword to set as the OpenFirmware password: 

IfiJt O OfJtn Flrmwii* Paswrerf_ 

The Open FEmnwara piEiword ^ uied to prewni IrGni ypuf 

compuier (tisk. Thh nukcE cempuier more ucure. 

0 Require password to change Open Fifinware settings 

P«ilwofd: [ 1 

TVik a pmii¥tCf4 or plirase 

Verify: 

HefVPC paswvQrd or phrase 

Cancel ) 

Setting an OpenFirmware password 

To set the password yourself directly from OfxnFinnware: 

<power-button> 

option^apple-o'f 

psHsword 

Center your pu^svgrd^ 
setenv security-mode command 
reset-ail 

You may wish to renxive the OpenFiniiware password when 
you are unable to boot tJie nruichine properly and need to re-iastall, 
Ixtck data up using taigel mode or lxx)i using single-user. 

To do this, remove it directly from OjxiiFiniiwarc: 

<pover-l>utton> 

option-apple-o-f 

Center paaevar(!> 

se tcnV security ato4e=none 

nvrainrc 

reset*fill 

In an emergency, the OtxnFinnware password can also lx 
removed by changing the amounr of liAM and tlien resetting the 


l^RAM three times (press and hold opiion-apple-p-r while 
ptwering up until you hear tlx machine relxxH Utrex Limes). 
ITils is obviously also a potential security risk and for lliis 
reason, your machine shoukl be physically seciifed. 

Ytxt slKHild also lx awuir tluii anyorx with r(x>t/siicb aaiess 
to the niiicliine can e-asily gt^ ilie Openl'kmware jyasswoRl. Like 
Sun’s Openlkxx, OpenFirmware Is unagble to Iiasli the p^isswoid 
Ixfore placing into non-vt>laiile tnemory, Tlie hex ctxie of the ASQl 
[Xtssword can lx reveiiled witli, as rcx)t: 

nvram sacurlty-passwnrd 

You can then convert the oui[>ut Itack to ASCII to get the 
current OpenFirmware password. 

DISABUNG FIREWIRE DIRECT 
MEMORY ACCESS 

By dehtuli, the FireWire proUH-o! gives the FireWire device 
access to the host's physical memory. This could potentially lx 
used to suck the entire memory conients out of the machine 
(including your passwords and current working data). 
Alternatively, an attacker could deteniiinc whea* in memory the 
screensaver is and insert some ntndoiii bytes to crash the 
screensaver, gaining access to the tmtehine. 

An unducumented side-affect of enabling an Open 
Finnware password (see section above) is that it itidireclly 
disables physical memory access for KtreWtre devices through 
the lOFircWircFamily kernel driver. 

Disabling FireWire DMA apjxars to have little afteci on the 
performance of FireWire, 

DISABUNG SINGLE-USER LOGINS 

A default installation, without an OpenBrxa password (or 
with a subverted Openlkxa password), can lx Ixxxed into a 
single-user shell by holding down the key during power-up 
(or btxX disk ~s from within OpenBoot). lliis could be used by 
an attacker with physical access lo read your data, add extra 
accounts or cliange your passwords. 

The followltig aecition introduces a method of ensiirlng a user 
must enter a password before being preserted willi a root 
user shell as part of a single user login. 

As root: 
vl /etc/ttys 
: l,$e/secure/insecure/g 
iwq 

To generate a password for root to use wlien logging into 
a single-user boated system w'e use openssl: 

openssl passwd -salt <xy> <pas5word> 

Replace <xy> with two random letters to m as salt for the 
hashing and <passwonJ> with the password you want to use for 
the single-user login. Tliis is et)m[>letely separate from ilie kxal 
root password, which, if it exists, is stored in the Netlnfo 
database by default. 

Now copy the hash llial was returned by ofx^nssl into your 
paste buffer, open the file /etc/master.passwd in vi (or your 
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favourite editor) and replace the asterisk (*) next to “root:" wiui 
die hash so the file looks something like: 

ft 

lic»bady i *: “ 2 j * 3 : r 0:0: IJnptlvl leged 
User:/var/eapty:/usr/bin/false 
root: BikQfml Dhzii^6Q 1 0:0;: 0:0; Systea 
Administrator ; /va r/root :/bln/sh 

Write tile file to disk (wiUi :wq) and exit vi. You will now 
be asked for the password when booting into single-user. 

DISABLE SAFARI AUTO-OPEN 

Safari, Apple's web-browser, includes a feature where il will 
automatically launch a number of difTercnt file types with their 
associated application* TliLs could potentially pose a risk with 
the user unwittingly opening a file without realising it. 


^ O __ ActOtrfltli __ 

63 ^ A H ti 

SlkMpU HvlwpOdfe 


fW ^1^ 

Adi3)Pi 

i ■ nemn Staurfiy '- 

Namo: |Huf2 

OmM AmittHi._s 



SheuT Iwmt' i|mu13 


PtiWWp! n-i***** 


VorifV; * 

^luvDfi* Hmt: , J 

tOpMaiKl) 

I.T Lsgwi OptiOMI 1 

03 

1 

1 


Qki tbv belt to pnta«nl fvnhtr EiumBnu 


To disable the feature: 

• Safari -> Preferences... -> General 

• 1 JnchcTk Open 'safe' files after downloading 


Using the Accounts preferences 
pane to remove extra users 
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Dtflult web Browserj rihSifaii' ^ 

h(ewtftdn{loMs open wtth: * ^ 

Homt pig*: I tBtt p:/ /wiww.goo9l*.cofn/ ) 

C Set to Cuffcnt Page 


Sive downloaded files to: 

Rentovt download list item*: fclanmlly _^ 

□ Open “safe’ fill* iftif downloading 
‘Safe" nit* indwtl* moirie*, pfcuifu. loundt. 

for aop usiT oacirmeni*H lad dii^ imspc^ 
vd «iier artMwes. 


Op4fi linAs frtMn application*: C ^ window 

0 Iti A new ah in tht curttni in^ndow 
u Brat* froffl mail, Oac, tic. 


Checking system user accounts 

You may also wi.sli to cn.surc that no other accounts (not 
slK>wn in tlie Accounts preferences panel have lieen added by 
an application installation and left with insecure/defaull 
passwortls. The.se could l>c tixploitcd by an attacker allowing 
tlicin login to your uiachine. 

To do this you need to make changes within the Netlnfo 
database, either via the GUI or the command line. T(j remove 
pa.ssw'ordH cm extra system accounts using the GlU: 

- Applications -> Utilities -> Netlnfo Manager -> Domain -> Open -> / -> 
OK ■>/ -> users 

• Choose a system user -> Hnsure it has no passwd entry 

• If it does have a passwcjrd entry, dick the lock in the lx>ltom left 
*> authenticate -> select die passwd line -> Delete 

• Close the window -> Save -> Update this copy 


Disabling Safari auto-open 

REMOVING OTHER LOCAL USERS 

There are other vulnerabilitie.s within Apple's Mac OS X 
103.6 that have not yet been publicly disdexsed and licncc 
won’t be discussed in this artidc. However, il should be noted 
(alliiough probably obvious) that to ensure the security of your 
Mac OS X inachiae, you should avoiding allowing any olher 
local users access to ytmr macliine, whetlier by Fast User 
Switching or SSH* 

RemoviBg normal local users 

The cleanest and easiest way to remove extra users is by 
using the Accounts System Preferences pane: 

• Apple menu *■> System Preferences Accounts 

• Select the other acaaini 

• Click the minus (-) button -> Delete Immediately 
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Checking for active users in Netlnfo Manager 
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FIX FILE PERMISSIONS 

Over time, pcTmis^sions and Dwner.ship of numerous files 
may become insecure* This is generally caused by insiallaiion 
of packages put together by non-security-savvy software 
developers* 

'lb try to correct tliis siaiatiun, it Ls a gocxl idea to regularly use 
Apple's Disk LJtility to tlx file permissions* 'IMs can be done by: 

• Applications -> Utilities -> Disk Utility 

• Select your / disk-parliUon 

• First Aid -> Repair Disk Permissions 
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Repairing file permissions 


It can also be done from the command line as root: 

/usr/abiti/diskutll tepaitPeriilsKiDJis / 

Tlie output may ltx)k like: 

Started verify/repair permissions on disk disk0s3 local 
Determintug correct file penolsslons, 

We are using Kpeclal pemissions for the file or directory 
. /SysLetit/Llhrary/Filesystems/cd9660* fs/cd9660* util. New 
permissions are 13261 

PermlssioTiB differ on ,/private/var/log/install * log> should 
be -rw*r**r*- , they are -rw-r’---- 

Owner and group corrected on ,/private/var/log/install.log 
Permissions corrected on ./private/var/log/install.log 
Permifislons differ on ♦/private/var/log/wttnp^ should be -rv' 
r r , Lhey are - rw-r - - - — 

Owner and group corrected on */private/var/log/wtmp 
PertoiSBions corrected on ./private/var/log/wtmp 
The privileges have been verified or repaired on the selected 
volume 

Verify/repair finished permissions on disk disk0s3 local 
You may choose to add this to rootle or the system cron 
files, e.g. /etc/weekly,local. 

diskutil is unable to automatically correct all 
insecure/incYjrrect permissions for you. lb list all files with 
potentially insecure or strange permissions, run the following 
comiTumds as lOOt and examine (or redirect) die output: 


To list all setuid/gid (binaries that run with a user or 
group ID of someone other than the user running then, 
commonly root) fUes: 

find / type f \C 'penn -4000 *perin *2000 \) \-eKec Is -al 
II \; 2>/dev/null 

To list ail world writable files: 

find / type f \( -perm -2 \) \-exec Is al |] \: 2>/dev/null 

To list aU world writable directories: 

find / type d \{ penti -2 \} \-exec Is -aid II 2>/dev/null 

To list all un-owned Hies: 

find / -Gouser q nagrQUp V-exec Is *al II \: 2>/dev/null 

Based on die output of tliese commands, you may choose to 
changif or remove permissions to some fte manually* Make sure 
you are fully aware of die purjxxsc of a File befim^ fiddling with its 
pemiLssioas. Random peniiLssion clianges may result in an 
uniLsable system! 

REMOVING CLASSIC 

*Some users may have trhostin to install Mac OS Classic support. 
Classic provides Mac OS 9 emulation supptjrl widiin Mac OS X, 
which allows a user to seamlessly run an old Mac OS application 
on dieir new Mac OS X machine. 

If you’re nut adually using any Classic applications, it is Ixtst to 
disable and remove Cla.ssic supjx>rt entirdy. Run die following 
commands as nx)!: 

nn rf /SyutGin/Lihrary/FreferencePanefl/Classic.pretTane/ 
nil -rf '/SysIera/Libracy/Classic/^ 

rm -rf '/Syfitem/Library/CoreServlcag/ClaBfiic Startup.app/’ 

rm -rf '/SystGm/Library/UserTemplate/Engllsh.lpcoj/Desktop/ 

Desktop (Mac OS 9)/' 

rm -rf '/System FDlder/' 

rm -rf ‘/Mac OS 9 Files/' 

rm rf '/Applications (Mac OS 9)' 

SECURING BUIETOOTH 

BlueUx)ih is a nidio (Z4GHz) data technology that allows a 
user to wirelessly connect numerous personal devit:es to allow 
cormnunication lietween them. Bluetooth achieves what is 
sometimes referred to as a Personal Area Network (PAN), allowing 
you to, for example, have your mol^ile phone, tiands-free kit, PDA 
and comtxiter all communicating wirelessly. 

Unfcjitunately, Bluetooth has numerous security dawbacks. 
This section discusses a numlier of methods to help lock down 
Bluctcx>di on your Mac OS X machine. The medicxis can also be 
applied to your other, non-Mac OS X, Bluetooth devices (eg, 
PDA, mobile phone)* 
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Turn it off 

If you’re not actively using the Bluetooth connection, yon 
should disable it: 

* Apple menu -> System Preferences -> Bluetooth -> Settings 

* Turn Bluetooth Off 


common key. This makes ii difficuU for a tliird party lo snifT die 
data or use recorded data in “replay attacks”, io turn on 
Uiuetoolh encryption: 

* Apple menu System Preferences -> Bluetooth -> Settings 

• Chet'k Require Authentication -> clicck Use Encryption 
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Disabling Bluetooth 
Put the device in hidden/invisible mode 

Your devices only tieed to be in “visibie” or “discoverable” 
iiKKle when pairing them with your oilier Blueiooih devices. 
Once you have paired devices, you should disable visibility. 
Paired devices arc still alile to corn ill unicate even when not in 
discoverable mocle. 

To make your Mac invisible: 

• Apple menu -> System Preferences -> Bluetooth -> Settings 

• Unchc*ck Discoverable 

Note that invisible/non-discoverable mode does not make 
your device entirely invisible. It simply makes it harder to find. 

Turn on authentication 

Once Bluettxith aufhenticaiion is on, devices generally 
need to then use a <’ommon password to pair with another 
device, allhougii there are vulnerabilities in some vendor's 
implementation. To turn on password authentication: 


Da not allow auto-acceptonce of files 

It is [>c.st to always be asked for contkmation when 
accepting a file, stopping a dangerous file or Trojan to lie 
automatically uploaded. To do this; 

• Apple menu -> System Preferences -> Bluetooth -> File Exchange 
■ When receiving items: -> Choase Prompt for each file 

• When PIM items are accepted :^ind When other items are accepted: -> 
Choose Ask 

If you never use Bkieioolh to |iusli files from another 
device to your Mac\ set it to automatically Refuse all. 

Disable file shares 

If you do not actively sliare files from the Mac to your 
other Bluetooth devices, disable all sharing (read-only and 
read/write) of file.s: 

• Apple menu -> System Preferences -> Bluetooth -> File Exchange 

• Unchec k Allow other devices to browse files on this computer 


^0 0O. _ Uwiooth__ , ■.. O.^ 

SI B ^ 0 iH 

aumAl ^oufKl Mttw wt 5 lart,ip faik 

- ' SatiffQS > fllafedangt * 1>iivk« ’ -— 

FHe Ejtchinge - - 

Vour CBfntIuHt' tan IflAffi m Vrilh Mhtf HultCKHlI UWI. TSU €» VW' 

behiMi krfitfi Mn JFC 


Mdun waiving ilems: ; P/wrijH f« tocir Mt 

m 


W5M PiW itOfflS irie 4cce^fd: ; Ask 

~zm 


Whtrt othw items are accented :! Ask 

|i^ 


Fcbdcr fbf iCEjepted iiHits; wtb^doimlMCls 

( OwomFoMh.- ) 

&)uei«flh Flht Trmsfef-^ 

Allow otbtr d«vic« to browst Tiles on this cofitouie^ 
fol4er oiher devices CIO bnimsc; tmp 

t Qtoosu FoJdcf... 3 

Disabling Bluetooth file sharing 


• Apple menu -> System Preferences *> Bluetooth Settings 

• Check Require Authentication 

Turn on encryption 

Turning tin Blueitxjth encryption means that the majority of 
data transmitted between Bluetooth devices is encrypted with a 


Do not pair with unknown devices 

To alleviate the chances of an attacker pairing wiih your 
machine, do not pair with an unknown device or allow filiysical 
acc'ess to your mat'hine to any un-tm,stcd party. 
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NETWORK SECURITY 

The following .sedion describes melhcxis of .securing Mac 
OS X from an external, or network, |>erspective. 


Tlie following table shows the Apple service name, normal 
Internet service name, and software associated with providing 
the service: 

Apple Service Internet Service Software 


DISABLING SERVICES 

By default, Mac OS X does not come witli any network 
seivices enabled. However, some services may have i^een 
enabled unwittingly or by installing extra software. This section 
describes methods of ensuring unknown services are disabled. 

Sharing 

Apple's Sharing preference pane is a front-end to xinetd and 
SysiemStaiten It Is used to enable and disable a numlx^r of 
common Intemei services such as SSII (Remote Logiit) and the 
Apache web-server (Personal Web Sharing). 

By default, Mac OS X 10.3 comes with all the Sharing 
network services aimed off. However, some users may have 
enabled services unnecessarily. 
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The Sharing preferences pane 

To disable all services: 


• Apple menu *> System Preferences -> Sharing 

• Uncheck any checked service 

A very basic description of each seivice can be read by 
selecting the service and reading the description provided below 
the Starl/Slop button. 


Personal File Sharing 
Windows Sharing 
Personal Web Sharing 
Remote l^n 
FTP access 

Apple Remote Desktop 
Remote Apple Events 
Printer Sharing 


AFP(oveiTCP) 

SMB/CIFS 

HTIP 

SSH 

Fl'P 

ARD 

EPPC 

LPR/printer 


AppleFileServer 
Samba 
Apache 
OpenSSIl 
tnftpd 
ARD Helper 
AEServer 
QJPS 


Table showing hostconjig entries and descriptions 

If you must have remote access to your Mac, SSH (“Remote 
login") is considered to be one of the more secure methods. 
SSH can also be used for file transfer by using SCP (Secure 
Copy) and SFIT (Secure FTT). You can also use it for securely 
mnnelling other services, for example ARD or VNC. See below 
for instructions on restricting to particular IPs (citficr through 
xinetd or ipfw) and securing the default sshd settings. 

inetd 

Mac OS X uses tlic xinetd Iniemet Super Server for 
providing a number of IP-based services. Some are 
enabled/disabied through the Sharing preferences pane while 
many others (including wlial arc commonly referred to as 
“useless Unix serviees”) aren't. A list of all services it can 
provide (from a default installation) can be found in 
/eic/xinetd/. 

A listing of any services dial have l^een enabled (either through 
the Shiring preferences pane or otherwise) can be found by: 

grep disable /etc/xinetd. ci/* | grep no 

Any services that are not required should be disabled. I'his 
c:an he: done by edllting the file revealed by the command 
above and changing tlie fine disable = no to disable yes. For 
example, your ssh file may look like; 

service esh 

I 

disable = yes 
socket^type ” stream 
wail; = no 
user ^ root 

server = /usr/libexec/sshd-keygenwrapper 

server_args = -i 

groups = yes 

flags = REUSE IPv6 

seHiJion_create “ yes 


Once all unnecessary services have been disabled, you can 
re.start xinetd with; 

kill JIUP 'cat /var/tun/xltietd.pid' 

rf you have disabled every service and want to kill off 
xinetd entirely: 

kill 'cat /var/run/xinetd.pid' 
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If you're choosing to leave a service enabled, you can 
either restrict what IPs can tionned to it wiihin xinetd, or witftin 
the ipfw firewall software (see section lielow). If you decide to 
restrict it within xinetd, you have the choice of either "allow 
some, deny rest'" or “deny some, allow rest''. 

As the final line (i.e. atjove die closing 1) within die xinetd 
configuration file for the service you’re restricting, add in your 
specifications. To “allow some, deny the rest”: 

oniy^from = <ip or sub[iet>K <ip or subnet>, <ip or subnet) 
Or to ""deny allow the rest": 

no_ac£iess “ <ip or subnet). <ip ox subnet) 


Insecure services can also he tunnelled witii encryption using 
SSI I. Doing so, you leave the setvic’e firewalled to the outskie wodd 
and ainnel a conneaion into the macliine using SSH. OpenSSH 
iLself also ha.s specific user access contnils on top of xinetd’s and a 
firewall. See the section lielow for specifics on secinely using SSI L 

OSX hostconfig Services 

Mac OS X uses a service start-up system c-alled SystemStarter, 
which replaces the iidt scripts most people would be familiar with 
from Unix System V variants. Ii docs intiude a numixir of features 
not available in in it, such as including dependencies in the service, 
rather tlian relying on manual ordering within a certain run-levef 

A number of SysiemStaner scripts source the /etcviiosiconfig 
file to see if they .should start or noL This file contains variables 
we can set to quickly enable/disabie .services at boot time. 

'Ihe following table lists items you may find in /etc/liastcxinfig 
and a short description of what they’re used for; 


Service 

Description 

Ai-TStiRVER 

Apple File Serving, over I CF for 
**Personal File Sharing" 

AirnjsmvER 

Apple Ncilnfo AuLhentieation service 

AtrrOMOlJNT 

Aulonmtic mounting of NFS mounrix)inis 
(not to be confused with amcf) 

CUPS 

Local pritiUng services 

IPFORWARDING 

IP nmting for otlier dienes 

IFV6 

IP version 6 pnKocoi support 

MAILSEKVER 

Tlic posUiJ£ SMIP niah server 

MOINFOSERVKR 

Bind to a Nelinfi) server fc>r directO'ry 
and authentication access 

NFSLOCKS 

Network I'tle System tile locking support 

NISDOMAIN 

Biut! to a NIS domain server for anthentic^tjon 

RFCSliRVER 

Remote Procedure Call support for numerous 
Unix services, such a.s NFS 

TIMESYNC 

Run NTPd to maintain constant time synchronisation 

Q'nsSHRVER 

Apple Qiiicklline Streaming Server modules 

WEBSERVER 

The Apache web-server for "Personal Web Sharing" 

SMBSERVHR 

Windows file sharing using Samba 

DNSSERVER 

BIND DNS server 

CORFDUMPS 

Write.s a core dump to disk in the case 
of a kernel panic 

VTNSERVER 

Apple’s VPN service daemon (LT2P and PPl’P) 

CRASHREPORTER 

Apple's crash logging service 

XGRIDSERVER 

Act as a server for Apple 's grid eompuling 
software, xgrid 

XGRIDAGENT 

Act as n client for Apple's grid computing 
software, xgrid 

ARDAGENT 

Apple Remote Desktop server 


Table showing hostconfig entries and descriptions 


Suggested services to enable include CUPS (widi -YES-) to 
allow priming and NETINFOSEKVER (with =“AUTOMATIC-), 
which will load netinfod on a stand-alone machine for 
authentication. 

You can enable nlpd for consislcmt time synclironisation for 
meaninghil logs if you wish. If you choose to disable it, you may 
wish to add tlie ntpdate command to /etc/daily or root’s cronialx 

/usr/sbln/ntpdate p ^ -U time.asia.apple.com 

Change "time.asia.apple.com" to a local NIT server closer 
lo your l(x:ation. 

Other OSX Services 

Finally, some SystemSuirter and mach_init.d scripts don’t 
actually refer to an entry in /etc/hostconfig to see if they should 
l^e am or not. The.se scripts require manual examination. 

SystennStaiter and machjnit store their sc'ripi.s in three 
I ocations: /hi bra ry/SLartupTte ms/, /System/Lil>rary/Staitu plteins 
and /etc/machjnilxl. 

An exiimple seivice that starts from Startupltems without 
examining a /etc/hostconfig entry is the NFS server, nfsiod, 
starting from /Systcm/Library/Startupltems/NFS/NFS. To de¬ 
activate it, as root you would edit the script and comment out 
the line that starts ntsiod: 

nfsiod is the NFS asynchronous block l/O daemon. which 
imp lenient a 

# NFS read-ahead and write-behind caching on NFS clients, 
//nfsiod -n k 

Apf)le’s aulcvnioyiil daemon (ADM - not to be confiised 
witli the NFS automount service) is used for autoiiiarically 
mounting CDs and image files. It can be di.saf)ied in 
/Sy.stem/Ubraries/Startiipltems/AMD/AMD. It also checks 
/etc/hostconfig for a AMDSERVER:—NO-, which can lie inserted 
manually (it isn’t included in /etc/hostconfig by default). 

A default system is unlikely lo have any further items that 
aren’t controlled by /elc/liostconfig. However, third-party 
applications you have installed may. You may wish to t5xamine 
the contents of each /Sysfem/Uhniry/Startupltem.s/*/* and 
/elc/machjnii.d/* file to determine what services start 
automatically. 

Finally, you can check for any services left running |jy 
using, as root: 

/usr/fibin/lsof | grep LISTEN 


DISABLING DIRECTORY ACCESS METHODS 

By default, Mac OS X comes with a numlier of directory access 
methods enabled, which ctxild lie open to exploitation (e.g, ihe 
II)AlAf3 service accx^^pts an IDAl^ seiver from DHCP by default, 
wliidi could faked by a rt^guc DHCP server on the LAN), 


64 February • 2005 


WWW.MAcrfCH.COM 









lnt;erviews Features 


Tapping into the worid of 
celebrities and their Macs, only 
IV!acOirectory offers exclusive 
interviews. Get a close and 
personal view from Sarah 
Jessica Parker, Steve Jobs, 
Madonna, Harry Conntck Jr., 
George Lucas, Jennifer Jason 
Leigh, Steve Woz and other 
leaders in the Mac community. 


Designers, writers, musicians, 
business leaders & our technical 
expert team offer their own 
personal interpretation of 
things that only the Mac system 
can deliver. With more than 
200 pages of news, insights, 
trends and the largest 
Macintosh buyer's guide 
including over 5,000 Mac 
products and services. 


BEYOMD ANY MAailMTaSH MAGAZIME 




Culture 

MacDirectory takes you to the 
wildest comers of the world 
and uncovers how Macintosh 
connputers are being used by 
other cultures. Travel to Japan, 
Australia, Germany, Brazil E, 
Russia and learn more about 
Apple's cultural impact 
around the globe. 


Reviews 

Find out all you need to 
know about the latest Mac 
products including the 
hottest Mac OS software 
and hardware. 




macdirectoryxom 


Send check or money order to: 
MacDirectory Subscription Dept 
326 A Street, 2C 
Boston, MA 02210 










For a stand-alone Mac OS X client, tlie majority of (or 
potentiiiJIy all) services are not required. I'he following is a talile of 
each of the Diiectoiy Access methods and a descri[)tion of its use: 


Directory Accejis m ethod 

Active Directory 

AppLehilk 

BSD Flat File anti NIS 


LDAPv’3 

Netlnfo 

Eeritje>;voiis 

SLP 

SMU 


Use 

Windows 2000 domoiii file 
sharing and auihenitcaiion 
Apples legacy protocol for 
discovering file and print services 
/etc flat files and Unix Network Information 
Service (NIS) or Yellow Pages (yp) 
directory and authentication 
LDAP directory access and authentication 
Apple’s directory access and authentication 
Apple mtdtiaist protocol for Ole, prim, chat, 
music and other network services 
Service Location Protocol * open standard file 
and print server discovery 
Windows workgnmp file and print sharing/serving 


Table sbomng Direciaty Access methods and their me. 
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Disabling DHCP-supplied LDAP Server 

CONFIGURING A FIREWALL 


By default, Mac OS X dties not come with Its bullt-ln 
Rrewalllng software, ipfw, enabled. The following section 
shows how best to enable a firewall on your machine. 


To disalde senices you don’t require: 

• Applications -> Utilities -> Directory Access 

• Uncheck unrequired services 


Moc OS X's built-in firewall configuration 

Mac: OS X includes a method for enabling a default set of 
firewall rulers within tlie Sharing preferences pane: 

• Apple menu -> System Preferences -> Sharing -> Firewall -> Start 
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Configuring Directory Access 


If you need to use LDAl^ for directory services (such as an 
enterprise LDA? email address bcx>k), ensure you have disabled 
the DHCP“SUpplicd LDAP Server option: 

• Applications -> Utilities *> Directory Access -> LDAPv3 -> Configure 

• Uncheck Use DHCP-supplied LDAP Server 
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Enabling ipfw through System Preferences 


By default, tlie firewall Sharing insmll isn't is relatively 
mediocre from a security point of view, but much beixer tlian 
no firew'aU at all. The following is a list of the niles it adds: 

02000 allow ip ftoiB any to any via lo* 

02010 deny ip from 127.0,0,0/0 to any in 
02020 deny Ip from any to 127,0.0,0/8 in 
02030 deny ip from 224,0,0,0/3 to any in 
02040 deny tep from any to 224.0*0*0/3 In 
02050 allow tep from any to any out 
02060 allow tep from any to any establiabad 
12190 deny tep from any to any 
65535 allow ip from any to any 
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If you have cnitl>lcd services, they will automatically be 
allowed through the firewall from 0/0 (everyone), ff you 
have installed a third-party service, you may need io 
manually add it firewall: 

* New -> Port Name -> Other 

* Port Number, Range or Series: -> Type in the port numlier/s or 
range of ports the a[)|)licalit)n needs inbound access for 

* Description: -> 'ry|K" in the name of the service 


Sp«G|fv A port on whtch you would like to receive networking TfAfTc. 

Other ports cen be ipeclFied by Etlecting ^Other' In the Port Name 
popup. Then enter a the port name and & number (or a range or seriei 
of port number!) along with a description. 

PortNtme: fOther 

Pbrt Number, Range or Series: || j 

[>escrip(lon: 

( Cancel ) 

Adding an extra service to the firewall 

A number manually-installed services are already iLsicd in 
tile New window umler the Port Name meniu 

Manual Hrewafl coiiflgiiration 

Tlic following .setiion cliscTisses designiiig and iiiifslenienting a 
manual firewall scrijH using ipfw. 

As root, aeate the a SystetiiStaner dinxiory and optm its 
jrararnctcTs list in your favorite editor: 

mkdir /Library/StartupItPisj?/f J reval 1 

vl / Lib rary/ S t a r t up T t ems / T i rewaU / St axt upPaxaiiKters, p 1 i et 
InBerT rho follovritig into StartupParauaterfi.plisti 
{ 

DeautlpTlon “ "firewall": 

Ordert’reference *= "None": 

Provides ** ("firevall"): 

Requires - {"Network"): 

Hessages = 

I 

start = "Starling firewali": 

Slop ” "Stopping firewall": 


Next, edit 

/Sysium/Lilmiry/Stariupltems/lPServices/StartupPammclers.plist 
and insert lliu following hciween Provides and LIses: 

Requires = (“firewall**): 

So that it reads: 

I 

Description "Internet services"! 

Provides * ("Super Server", "Config Server"): 

Requires “(“firewall"): 

Uses “ ("loDNSResponder", "Portiiiap", "NerworkExrensiotif;"): 
OrdetPreference “ "None": 

I 

nils (Teates a dependency and ensures the fuewiill lias iK-en 
configured liefore any network servic’es yoirVe left enalMed are 
loaded, 'Itiis easunes none of tlie services are loaded with no 


protection lx!tween them and the outside world. 

Finally, open up /ybrary/StarluphetTis/firew-all/firewall in your 
editor and, at a minimum, insert the following Rtle-sei. You may 
wish to add extra rules in the appropriate section froiti tlie example 
rules below diis seciion. 

#!/bin/sh 

# Declare variables 

i Path to firewalling software 
FW'Vsbln/lpfw" 

M Flush any existing rules from the firewall 
$FW q flush 

## Outgoing 

ff Drop MS VPC? license checking going out 
$FW add deny udp frotn any to any 317')0 
§ Drop MS Office license checking going out 
SfW add deny udp froro any to any 2222 
t Allow pretty imich anything else out 
SFW add allow all from any to any out 

a Incoffllug 

^ Allow all rrom/to local loopback interface 
FV add allow all from any to any via ioO 
Tlien deny anything pretending to come from 127 on other ifs 
add deny log all from 127.0.5.0/8 to any In 

ff Allow relevant outgoing connectlont; buck in 

# Allow half open T€P back in (although not active ftp) 

$FW add allow tep from any to any established In 

4 Allow related DDF hack in 
If DNS DDP/b3 

FW add allow udp from any 53 to any 1024-65535 In 
NTP ■ UDP/123 

$FW add allow udp from any 123 to any 123 in 

$FW add allow vidp from any 123 to any 1024 65535 in 

it DHCP * imP/67 

I DHCP request to server back in to client 

$PW add allow udp from any 6/ to any 1024*65535 in 

# DHCP offer from server in to client 
SFW add allow udp from any to any 68 in 

# Allow the neccesary ICMP in 

ff (echo reply, dest unreachable, ttl exceeded. IP header bad) 

$Fk/ add allow iemp from any to any iemptypes 0*3,11,12 


iNiff Insert your custom rules here 

ff## 

# Reject IDEHT/AUTH with an TCHP reply 
$FW add reject tep from any to any U3 in 

ff Deny (drop without ICMP) the test and log to 

/va r/1og/system.log 

$FW add deny log all from any to any 

exit 


Some Riles you imy wish it> iaserl could iiu lude the Mowing: 

ff Windows/SMB/Samba client access 
$HW add allow udp from any 137-139 to any In 

$FW add ailow udp from any 445 to any in 

SFW add allow tep from any 137-139 to any in 

SFW add allow tep froiB any 445 to any in 

ff PPTP VPN client access 

ff (replace <ip> with your VPN server*s IP) 

SFW add aJJlow 47 from <ip> to any in 

ff H,323 client access (NetMeetlng and similar) 

SFW add allow udp from 0/0 to o/o 1720 In 

SFV add allow top from O/O to O/O 1720 in 

SFW add allow tep from O/O to 0/0 30000-30010 in 

SFW add allow udp from O/O to O/O 5000-5099 in 


M/cnat 
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# XWimlovia cl-tent in an XNest running in display ;1 
^ (replace <lp> with tbe Unix box's IP) 

$FW add allow ccp from <ip) to any 6001 in 

a XDMCP client in an XNeat running In display :2 

if (replace <ip> with the Unix box's iP) 

$FW add allow tcp from <ip> to any 6002 in 

$FV add allow jdp from <lp> 177 to any in 

SSH server 

$FW add allow tcp from 0/0 to any 22 in 

To cbicnninc wMt 1X:P or UUP pt)fl a servic!o use 5 (so ihai yoii 
can let incoming requests through ycxir firewall), ytju am check tlie 
/etc/services file: 

grep -i <service name> /etc/services 

Monitoring ipfw 

Tlie final rule in die alxive script tells ipfiv to log any packets 
liitting the firuil deny nilc Ixiore silently dn)pping them A*s root, you 
can see whic h packeis ait* lieing dRipj>ed with a a>iiiinantl likt^: 

/usr/bin/tail -f /var/log/system.log | grep tpfw 

KERNEL TWEAKING 

The following secaion describes a number of kernel 
variables that should be set to ensure the most secure network 
settings. Insert the following into /eic/syscil.conf to ensure 
they're at their most secure: 

Verbose firewall logging 
net.inet,ip.fw,verbose=l 
net.inet.ip,fw.verbose_limlt=65515 
if ICMP limit 

net. inet. icmp. icmpiim=^l 024 
if Stop redirecta 
net .Inet. icTiip.d!rnp_tedirect=l 
net.inet *icmp.log_redirect=l 
net.in^t.ip.redirecl=0 

# Stop source routing 
net.inet.ip.sourceroute^O 

net.inet.ip.accept_sourceroute=0 
if Stop broadcast ECHO response 
net. Inet, irjnp. bmcastachci=0 
§ Stop other broadcast probes 
net. inet. iciiip. mask repl=0 
if lilF delayed ack off 
net. inet. tcp. delay t*d_ack=0 
f Turn off forwarding/routing 
net. inet. ip. f orwarding=^0 

# Turn on strong/random!zed TCP sequencing 
net.inet.tcp.st rict_rfc1940^1 

Tlury cun also lie manually entered at the command line (or in 
anodicr .scrifJt) at any time with the Ibllowing syntax as rcxM: 

/tiEt/sbin/sysctl -w <variabie>^<setiing) 

SECURING SSH 

SSI I (Seaire Shell), is provided under Mac OS X using the 
open-source package OpenSSH. U c'an lx* used for a seaire remote 
interactive shell (SSH), secure file timsler (SKIT), seaire cx>py (scp), 
.secure X-windows forwarding (XI1 Forwarding) and encrypted 
tunnelling of otlier IP services* 


General SSHrf changes 

SSHcl is liighly configurable and c:an lx: Further kx:ked down 
from it default settings. Its server configuraiion file can be fcuind 
under Mac OS X iis /ctc/.ssiid_cx}nfig and the Following changes 
From ilie default cxrfiguration are reajmmendc^: 

^Protocol 2,1 
(to) 

Protocol 2 

IfPormURoot Login yes 
(to) 

Permit Root Login no 

Subsystem sftp /usr/llbexcc/sftp-server" 

(to) 

^Subsystem sftp /usr/iibexec/sftp server 

Using SSH keys for authentication 

Ir is t:on.siderc‘d man:- secure to login with an SSH key pair than 
a fxtssword, A machine that lias already been hacked may have a 
trtipnned sshd biniiry or authentic^iton ^services which may lie alile 
to give a copy tif your pissword to the attacker If you have the 
same password on multiple machines (which Ls r^bvioasly not 
reconaiiended) they may then login to tFio.se otlier machines using 
your credentials. 

On the other hand, logging in with an SSH key does not allow 
an attacker to gain your ]yas,swortk even iF you am using t!ie same 
SSH key (with same pas.sphni.se) to login to otlier machines. To 
dis:ihle passwoitl autheiUicalian: 

//passwordAuthentication yes > PasswordAutheTiLication no 

To generate an SSH key pair on ycnir external machine 
(assuming it mn-s OpenS.SH): 

user@hostssh keygen b 4096 -t dsra -C '^Key for user^host 
gov 2004" 

Gene rat ing public/private rsa key pair. 

Enter file in which to save the key (/Uaers/user/.ssb/ld. rsa): 
Enter passphrnse (empty for no passphrase): 

Enter same pasKphraue again; 

Your identification has been saved in /Users/user/*ssh/id_dsa. 
Your public key has been saved In /Users/user/»ssh/id_dsa.pub. 
The key fingerprint is; 

fl;99:d7:05:be:7f:41:42:64;97:bl;e7;dJ;4nc9;OS Key for 
user@hoEt Nov 2004 

DSA is considerably faster tlian RSA For key generation and 
signing, however .some argue that DSS has some potential 
security flaws in its signing prot^ess on machines with low 
random nurnlKT entropy. 

Hasure you add a pss-phnLse to your key to protect it if the 
remote machine is aimpromised. 

Now put "-/.s.sli/kLdsa,pub from the remote madiine into 
~/.ssh/authori?.ed_key.s (^n your Mac. Your key will now lie 
aiitomatiGilly used instead of a ixissworI for SSH, SCP and SFT!^ 
renitXe accas.s to your machine. 
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Forwanfing XII through SSH 

HiniilJy, ij'yiju have XI1 programs tliai you want to cxjxjit Irack 
to a lemote truicliine, it is a^coiTMnended tl^it you use Vs in-lxiilt 
XI1 Forwarding in /etc/ss]id_canfig: 

JfXllForwiirding no 
do] 

XllForwardin^ yes 

From t\w client niJichine, you setup the SSH tunnel l^y typing: 
ssh X 1 osernanic ^remote Mao> 

TunnelTmg other IP services through SSH 

SSH can also lie used to tunnel an oUierwise insecure protocol 
tlirougli it. 

For example, you may wish to use a VNC server ainning on 
the Mac OS X mad line. VNC by iLself is not encrypted itiid it’s 
jxissword Ls sent plain-texi over the network. A soniewlial rnoie 
secure solution to tliis problem Ls to leave the SSH port firewalled, 
tunnel a VNC ninnediim through to the machine and cx)nnecl to 
the VlSfC fx^n on it’s loof>-lxick interface. 

For example, to make a tunnel through to the remote Mrc s 
TCP port 5900 (commonly VNC), you would do: 
ssh -N A. 5900:127,0.0,1:5900 <rom<a^ MaO 
lilts command binds SSI I to |x:>tt on the IcKalhast and 
tunnels it, via SSH, to port 59(X) on the remote Mat:. Ycui would now 
|X)int your VNC cliem to 1270.0J (ic* tlic lcx.alhosFs kxjpixack 
interlace) on jx>it 59tX) and it will securely connect to die VNC 
server on your remote Mac. 

Restarting sshd after (oirfig changes 

Because Mac OS X spawns sshd from xinetd rather than as 
A stand-alone server, there is no need lo restart anything. 
Changes you make to sshd_coiifig are read in on ilie next 
connection to that service. 


CONCLUSIONS 

With the move from Mac OS Classic’s roots to a Unix- 
based operating system, Apple's Mac OS has undergone 
massive changes. 

While it is one of the more secure Unix operating 
environments by default, there are a number of methods the 
administrator t)f the machine can make use of to harden the 
environment furthen 

This article has outlined a number of these methods to 
secure Mac OS X from a local and network [lerspective. 
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APPLESCRfPT ESSENTIALS * by Benjamin $. Waldie 


An iNTRODUaiON 

TO Handlers 


What is a Handler? 

A handler is a group of one or tnore 
AppleScript statements that are associated 
with a single command As we will discuss, 
some handlers are user defined, and some 
are application, or system defined. 

Once tlie command associated with a 
handler is invtjked, the statemenis wirhin 
llial handler will execute. Handlers allow 
you to group your code into logical 
“c^hunks,” which may l>e triggered, or culled, 
over and over again within a .script. By 
c'arefully coastructing your handlers, you 
c'an make stTipts very modular, giving you 
die ability to brc'uk ihe seripls apart and 
reuse the handlers again in future scripts. 
Many AppleScript developers store their 
handlers in code iibrarie.s. Tliese libraries 
can then be loaded, and handlers within 
them can lie triggered from other scripts. 

Anatomy of a Handler 

Let's take a look at a basic handler. 
The folkiwing liandler may l)e used Lo 
display a basic duilog message. 

on disiplayDialogt) 

display dialog "This ia code within a 
handler 

end dii;playDialas> 


Now, lefs break handlers down into different parts, and 
examine how they are constructed. 

Handler Definition 

A handler definilion refers to the handler itself. The 
h>llowing would be considered the hantller definition frtim the 
previous example. 

on d [erp] ay Dialog {) 

display dialog ‘*Thia is code within a handler," 
end displayDiaiog 


A handler definition always begins with the word on or to, 
which indicates to AppleScript that it is the l>eginning of a 
handler. In the example above, 1 chose to l>egin tny handler 
with the word on. However, the methexf you choose to use is 
entirely at your discretion. You should use whichever word 
looks more accepmble to you. 

'I'he next part of the handler definition is tlie name of the 
handler, followed by any pammeters to be passed to the handler 
i)y the ,Si*ript. For example: 

dieplayJllalogO 

In many cases, you may need to pass information to a 
handler to lx: prexessed. To allow for tliis, handlers support 
input parameters. Handlers also have the ability to return data 
back to the sc:ript. For example, a hancller may return a Inie/false 
value indicating wliethcr or not it was successfully prtxessed. 

There are a couple different methods that you can use to 
specify input parameters, and we will discuss them shortly. In 
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I n a previous article, you may remember that we discussed methods of 
writing AppleScripts to watch folders for incoming items to process. In 
each of the methods we discussed, we made use of handlers. This 
month, we are going to explore handlers in more depth. Since handlers 
are a fairly complex subject, the full scope of handlers will not be covered 
in this month’s article. Rather, we will cover the basics of handlers. In 
future articles, we will discuss handlers in more detail. 


rhe prevroiis example, the empty parentheses indicate that my 
liandlcT does not rec|Uire any parameters. 

Following the first line of a luindler definifion are any 
AppleScript statements tliat should be executed l>y the liandlen 
You may write as few or as many statements as you need, keeping 
in mind that they will not execute until the handler Ls oiled, 

'Ihe final line of a handler definition alway,s l>egins witli the 
word erKi, followed by the name of the handler. 

end displnyDinlog 

To save time when writing a handler, you may write the 
word end, and when you compile your code, the handler name 
will automatically l>e inserted for you. 

Handler Call 

1b call a handler from within a script, you must specify ihe 
name of ihe handler, followed by values for all of its parameters, 
The following Ls the call for ihe previous handler example; 

dlGplayDlalogO 

Well l(K>k at calling handlers that use parameters shortly, as 
we explore parameters. 

If you need Co call a handler from within an application tell 
l>lock, you mast specify of me after the handier calf to indicate 
that die handler Ls to l>e addressed within the script, and not 
w'ithin the application. For example: 

t^iJ, appilcatioa “Finder" 
displayDialogC) of mo 
end tell 


Parameters 

A.s previously mentioned, the firsi line of a handler contains 
the handler name, followed by any [januneters to lx: pas,sed into 
the liandler, A parameter is a variable that is named in ilie 
liandler definilionj and is assigned a value when the liandler Ls 
called. When calling a handler, all parameters are re(|uired, and 
must he specified, liaadlei-s do not allow optional parameters. 

There are two types of parameters that may follow a 
liandler name - laheied iKirameiem and iHmtionai fKimmeters. 

Labeled Parameters 

Laliieled parameters are [parameters that are as,socialed with 
labels in the handler definition. Wlien the handler is called, 
these lalx:ls are used to determine which parameters are which. 
Therefore, when working wiili lalx:lcd parameters, yon may 
pass the parameters ihroiigli your liandler call in any order you 
wi,sh, so long as they correspond with the coirect labels. The 
exception to iliis rule is dial, in some cases, you may choose to 
assign a direct parameter, whicli Ls required to fall immediately 
after the handler name. 

There are two ways that you ain assign labeled parameters 
in a handler. The first is to assign die parametei's using one of 
the following predefmed bbels: about, above, against, apart from, 
around, aside from, at, below, beneath, beside, between, by, for, from, 
instead of, into, on. onto, out of, over, since, through, thru, under The 
label of may also be used, tliough only to define a direct 
parameter. If you add a direct parameter, using the lalpel of, 
tlien you arc re<|uircHJ to have at lea.si one or more additional 


/VMmIWH 


ArrlESCRiPT ESScNnAlS 71 










parameters. The following is an example of a liancller with 
lalx^lecl parameters: 

to dlsplayDialog of theText above theButtoo^ aside from 
thelconKumber 

display dialog tbcText btittons theButtions vith icon 
ihoIcortNumber 
Bfii dl^playDlaloi 

In the example above, the parameter theXexl is a clirecl 
parameter, as indicated by the iabei of. The parameter theButtons 
is associated willi ifie label above, and the parameter 
thelconNumber is assexiated with the label aside from. 11ie 
handler alx)ve would be called using the following line of cotle: 

diiiplayDialog of ‘"Hello'' above I "OK") aside from 1 

Again, since lalxled p;iramecers are assixiated with their 
labels, then you can rearrange the non-direct parameters, if 
desirecK For example, ilie following handler call would funaion 
ideniically as ilie previous one, 

dlisplayBlalog of ‘“Hello" aside from 1 above [“OK"! 

Another way lo assign ialieled parameters Ls to use custojn 
lalx-ls. This Ls done by creating lalx^l definitir>ns in the formal 
labelName:parameterName, separating them by commas, and 
preceding them with the lalx*l given. Custom lalxled parameters 
must follow any [>redefmed lal>el parameters. An example of a 
handler with aistom lalxled parameters Ls the following: 

dlapliyDifllog of theText given someButtonB:theButtons* 
seiaelconNumber: thelconNumber 

display dialog theText buttons theButtons with icon 
thoIcouNumbor 
end displnyPialog 

In tile example alxwe. the parameter IheTexf Ls a direct 
parameter, preceded by a predefined lal>el. The remaining 
parameters are custom lalx^led parameters, Tlie parameter 
theButtons is associated witli the custom laliel someButtons, anef 
the parameter thelconNumber Is a,ssociated with the custom lalxr) 
somelconNumber. This handler on lx-‘ called using the following 
line of axle: 

displayHialog af o" given soinuButtons: {*" 0 K" L 
someIconNumber:I 

Again, since this handler makes use of labeled parameters, 
the non-direct parameters may lx? rearranged, if desired: 

dlsplayDialog of ’‘Heilo” given somelconNumber:!. 
some But tons: \ “OK"" I 

Positional Parameters 

Another type of parameter that you can use when defining 
a handler is a positional parameter. Po.sititjnal parameters are 
separated by commas, and do not contain any lal^els. Because 
tliey do not contain lal>els, they are identified by their ptisition 
in the handler definition. Therefore, they must [)e listed in the 
same position wlien the handler is called Tile following is an 


example of a handler dial makes use of positional parameters: 

on dlsplayOialagtthcText:, theButtons, thelconKumberS 
display dialog theTexi buttons theButtons with icon 
thelconNumber 
end displayDielog 

"Ilie liandler above may be called using the folk>wiog line 
of code: 

dlsplayDialog ("Hello'’, ("OIC* [, U 

Return Value 

In some cases, a handler may return a vakie to the script 
that called it. This valutr may lx: placed into a variable for later 
ysage. By default, a handler will return the result of the last 
AppleScript statement that executes within the handler, 
assuming that this statement pnxluces a result. If desired, you 
may configure your liandler to return a different value. For 
example, the following code returns the name of the button 
clicked in the clialog. 

£0t theCboice to displayOialagO 
on d isplayDialogO 

display dialog "Would you like to continue pcocessing?" 
buttons l‘‘Ves**, "No" I 

return button returned of result 
end dlsplayDialog 

Next, I could add additional axle at I he rc Kit level of niy sciipt 
to check the button that was clicked, now stored in a variable 
called theChoice, and take tJie appropriate couise of action. 

Witiiin a handler, you may return a value at any Lime to 
cease further execution of ihat handler, or you may return no 
value tt> eexse execution wiilH>ul returning a specific value. For 
example, tlie following liandler will stop pixx'essing, reluming 
no value* if the user clicks the “No" IxiUon. 

dlsplayDialog () 
on dlsplayDiaJogO 

display dialog "Would you like to continue processing?" 
buttons I"Yes". “No"I 

set theChntce to button returned of result 
If theCholce "No" then return 
display dialog "Continuing.,/* 
end dlsplayDialog 

Types of Handlers 

Tlierc are two types of handlers in AppleScript - 
suhroiiline handlers and comma ml Ixmdiers. 

Subroutine Handlers 

Subroutine handlers are groups of siaiemenLs, which are 
defmed by the tleveloper, and called ihroughoul a script, or 
frixn anotlier script. Sul)roytines can l>e extremely useful if you 
need to perform the same exaa task over and over ihroughout 
your a'fipt. For example, let's say that you need to display an 
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Informational dialog to the user 10 times throughout your script 
to let the user know what is occurring. 

display dialog “Beginnirig next task*..** btittODS I “•"I 
default button with icon 1 giving up after 3 

To display the alxwe dialog 10 limes, I c:ould write out all 
of this code 10 times - or, 1 could write a handler 1 lime, 

on difiplayNextTaekMessageO 

display dialog “Beginning next task..,* buttons [“<*1 
default button wirb icon I giving up after 3 
end dlcplayNoxtTasKHnssage 

Once written, this handler can be triggered from anywhere 
within my script. Ratlier tiian writing tlie entire lengthy line of 
display dialog code each time I need to display the dialog to the 
user, 1 ran rail my handler instead. 'ITie following code would 
call the displayNexlTaskMessage handler. 

d IsplayNisx tTaskKussag^ 0 

In die example above, you may be wondering where the 
handier name "displayNewTaskMessage’' ctime from. Tliis is 
something that 1 defined myself when writing the handler. 
Remember, since subroutine handlers are defined by u 
develo|xrr, llieir names are u,ser definable. So, 1 could have 
named this iiandler anything I wanted, as long as it was not the 
name of another existing handler in my script. 

Command Handlers 

A command handler i.s a group of starements that is 
triggered by a specific application or sy.stem related event. 

Every AppleScript application contains an ingilied run 
handler. Any AppleScript statemeni.s at the top level of the 
scTipl, excluding global variable.s, properties, other handlers, 
and script objects, fall within tliat run liandlen If you prefer to 
make the mn handler visible in your code, you may wrap these 
statements within an on run handler call When the script Is run, 
lx)th methods will l>eliave identically. Ft)r example, each i>f the 
examples lielow will perform the exact same function: 

Example 1: 

display dialog "Hellor 
Exataple 2: 
on run 

display dialog "Rellol* 
end run 

A.S you can see, any code within the nm handler of a script 
will lx? executed whenever die script is run. However, in some 
cases, you may want to exeaite code when other tyixrs of 
actions cxx'ur within your script. 

The open handler may lx? u.sed to initiate specific code 
when items are dragged and dropjK'd ontt> a script in the Finder. 
For example: 

on open thoDroppedlt^ms 
- Process the items 
end open 


By adding an open handler into a ,sc:ript, and then saving 
tliat scripl as an application, die script will aytomaiically accept 
rlropped files and fVilders. It will also receive a new icon, 
indicating that it is now a drop script. 



Figure L A Drop Script Icon 

In the previous example code, the parameter 
theDroppedltems will contain a list of paths to any items dropped 
onto the script. If you warn your script to only process folders, 
dien you would need to add custom ctxle within the open 
handler to determine which dropped items were folders, and 
pnx'ess only these items. 

Two odier types of cormnand handleis that may be added to 
an Apple^Tipt application are die idle handler and die quit liandler. 

An idle handler is particularly tiseftil when creating stay 
open AppleScript applications. In a stay open AppleScript 
application, by default, ApplcScri[it will send die script an idle 
command every 50 seconds. At that time, any code witJiin the 
idle hantller will execute. For example, if I save the following 
ctxlc as a stay opened AppleScript applicaiion, and trigger it, the 
.script will I^Jeep every 30 seconds: 

un Idle 
beep 

end idle 

Tliough the defauli lime period Ix^tween idle messages is 
30 seconds, ! can change this l>chavic>r if desired, by returning 
an integer value indicating how many seconds of a delay should 
ocair before the next idle. In the following example, the script 
would Iktjj every 10 sect aids. 

on Idle 
beep 

return 10 
end Idle 

'I'he quit handler may be used in order to execute code 
when the script quits, whether m^mually t|uU by the user or not. 

on quit 

display dialog "Task complete.* 
end quit 

Example Handlers 

Now that we ha\^e covered the basics of handlers, let's take 
a kx>k ai some example handlers, which may lx? useful to you 
as you write scripts in the future. Each of these handlers has 
been written genetically, so that you can use it in virtually any 
scripl in the future. 
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'llie following handler will make a new ftjlder in a specified 
ouipiii folder, using a specified name: 

on nakeNewFoiderttheNevFolderNaiiie* theOutputFolder) 

telA application “Finder“ to siake new folder at folder 
theOut put Folder with properties t namenheWewFolderNaiiel 
end makeNevFolder 

The following handler will delete a folder of a file: 

on move 1 tfifflToTrash (tho T temra lli) 

tell nppUcntion "Finder” to delete item theltemPath 
end raoveTtOHiToTmuh 


The following handler will mount an afp volume: 

on mountVolume(tbeVolumeNeme. theServecIPAddress. 
theUserNamei thePassword) 

mount volume **afp://“ & theUserNanip. & “i“ U ihePaosword (f 
& theServerlPAddrenn */” & theVoluwelimiie ns string 
end mDuntVolnnin 


In Closing 

Again, handlers are a fairly complex aspect of AppleScript 
development for many users. Today^ I use them regularly, 
and I try to make them as mtKlular as possible. My theory is 
that if I write code to perfonn a specific lask, sut:h as opening 
a document in QuarkXPress^ then I don’t want to ever write 
that code again. Rather, 1 store the handler for later usage in 


future scripts, and the next time I need to perfcjrm the task, 
w'hich could he a year down the line, I simply add the liandler 
into my new script. 

1 encourage you to fx^gin using handlers more in your 
.scripting, as it will l')enerit you greatly. Well discuss otJicr aspects 
ol’ iumdlers in more detail in fnmre articles, In the meaiiiime, for 
additional inlbmiation alxiui handlers, you may want to check out 
an AppleScript book, or browse the ApjilcScripi binguage Guide 
ai <hii p://developerapple.com/documentation/AptileScTipt/>. 

Until next time, keep .stripling! 

'Jill 
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By George Reis 


Imaging in Forensics - An Overview 

lta!n to a crime -scene lately? Chances are that the Crime St:ene 
Investigator was using a ciigital camera. WiiJiin jninuies, iliose 
iniiigcs may be on a shared network and avaiiabSe for a detective to 
view, photograplis of ilie lingerprinls wif) be enlianced anti 
scardied for matches in tile state’s dataliase, and images fnisn tlie 
security vkleo made av:iilable to the press. 

AlihtHigh many agencies tlirougluxit the US Iiave not yet 
tnovexJ to digital iiiuiging, mjmy have, and h:ive rrade suliNtantial 
use of some of the very cool technology availal>le- Let's take a look 
at -some t>f the tcdinology and application's of digitil ctinienis, 
coinpuiers and image pnK’essing in the foieasics worid. bin first, 
let’s see how thus technology evolved from ifie early days ol' digital 
imaging forensitN in the I990’s. 

A Little History 

I was fortunate to lx* among tlie early adopters of digital 
imaging in forensics, lliis was due as much to luck as anything 
else, one of those Issues of Ixing in ilie right place at tlie riglit 
time. My background was in piiixopunialisin, and I made an early 
attempt at freekmcing. After a few years, 1 found that working for 
someone else would make my mortgage company (and my wife) 
min:h happier, so I found work in a cxamnerdal photo lalx After 
a couple of years of smelling like photo chemicals, 1 answertx:! a 
classified ad for a “Police Photographer” at the Ncwfxirt Rcacli 


Police Department. Hiut was in 19ii9, well l>efofe the CSl 
television shows. 

In the eaiiy t990’s wiien I was first exploring how digital 
iniiiging teclmology could !x* usexi in forensics, infomiaiion was 
hard to find, Uxis were few an<[ fer Ixwa-n, and Macs were stilJ 
the mast popular computer forgniphics. Tlic New|x>it Beuclt Police 
Department was a Mac lal) at tlie lime* but also ran an UP 3000 for 
<Hir staUslics. Ttiere wasn't a Mac at every desk, and the secretaries 
still used typewriters, iiut we did have a ctRijile of dozen Macs 
distribuied ifmxighoui ilie agency. 1 wanted one, and 1 wanted 
PhtJiosliop, liLit it was liard to sell management on the idea. I 
learned to wiite Quiz reports using a dumb leniiinal on the IIP 
3000, and eventually was able to upgrade to an Apple Quadni 950 
with a copy of Photoshoj^ 2-5. 

Digital cameras were pielty itite in those days. In 1992, Ktxlak 
introduced the DCS 2(X), wliich was a 2 riiegaj>ixel digital SLK with 
an 80 MB haaJ drive built-in, tliat went for $10,000. Sony liad the 
PmMavic^i. which wii.s a 3 chip camera with a resoloiion of 6^0 X 
480 dial cost about die same. Quite a difference from the cameni 
options and priting of today. 

Imaging and Fingerprints - First Steps 

Hicre were a lianclfijl of people in foreasks experimenling 
witli digital imaging at that time. We were mrxstly kxjking at ways 
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to enhanc:r fingerprints. We stniggled with some vciy Ixisic 
a>ncq>Ls, like how to nbii a digital photograph of a fingeiprint to 
1:1, or how to trace a fingerijrinl to enable it to be searched within 
the Atitrmited langerprint Identification Sysietn (AHS). 

'Hus naxi to irAiv fingerprints ms important, as the technology 
for entering a latent fingeqirint for a dataliase .search was relatively 
arcane at the time. NIiC wiis a piitnary APIS vendor. In California, 
mosi counties had a database of fingeiprints of those arrested wttJiin 
their county, and llie sUUe maintained a dataha.se of flngeqirints for 
the state, 'Hie computers to search tliese databa.se.s rctiuired an H.5 
inch floppy to licxjt-up, and had a Inw-iesoiution scanner Ixiilt into 
die worksuiliori to scan a physical tracing of a fingerprint. Seaiches 
often t(K>k two to three days to gel remtlis (resulLs are asually within 
15 minutes ctxlay). Ihe nietluxl for nearing this tnicing was alnxist 
ainiical - a latent fingerpont wcxikl be photograplietl with a 
Polaroid MP4 copy camera to a 5X enlaigernenr. Tlien a shtx^r of 
tracing paper would lx? tafxxl to tlie Polaroid and die ridges were 
traced l>y liand widi a Jmni pencil. When the tracing was complete, 
it would be jiliotographcd at 1:5, io bring die 5X tracing ficick to the 
print's original sbx*. llien, diis Polaroid photograph of die tracing of 
die fingerprint wics scanned into the APIS, the tracing would l)e 
clamed u[i, additional informaiion entered for the search, and diree 
days later there wcxild lx* rouglily a ten fxrcent clxmce of a match. 
Tliat Ls, 90 pt^rcent of the fingerprints enlarged, trac'ed, reduced and 
entered into die system would not match a print in die cbiiabase- it 
may have been the victim's t>rint, the [irint of a customer at the 
biLsiness that was robbed, ntit enough detail in die print to gcTicralc 
a match, etc. 

At the time, thus technology seemed wonderful - it sure beat 
the carlcxining methcKl (an examiner at one agency wcxjld descrilx:, 
by phone, what the fingerprint looked like to another examiner to 
see if they may liave seen one like it!X But, It Is ohviou.s to anyone 
now that this methixl needed improvement - viitoally no 
enliancx-^ment of the fingerprint could be done, ft was ptxssible to 
make minor gldxil contrast or brightness adjustmenrs dinxigli 
exposure arid developnx^nt times (this was die [xvbapjiil I’olaroid 
material), or by chcxising the high oontiasl I'ype 55 film. Tlie 
paxlsion of die sizing of the enlargement and reduction was far 
from accLinite. It is no wonder dial finding a tneiliod lo do diLs 
digitally would lead to a higher numlier of fiiigeqiriiii tTiatclies by 
having Ixiier fingerprint detail and more accurate image sizes. Bui, 
simple diiiigs like figuring oui how lo make a digital tracing of the 
fingeqirint Ixlbre Photoshop had layers wasn't dwioLLs to lls Ixiek 
dien. We wertfn't omputer experts, we weren't Fhaoshop exi>erts, 
we just had jolxs that involved photogmphy and fingerprinis and we 
knew that computers could hel[) us do a Ixtier jf>B - and we 
managed to miike it work. 

image Analysis 

Over tlie yairs, image prrxessing in forensics exjxinded to 
more areas, including (|ucsliofKxJ d(K:ument examination; footwair, 
tire inipressioti and Ux>l mark examination; bkxxl STyatter evidence; 


liullei striaiion and primer mark extimination, etc. In addition, video 
analysis moved to the digital realm, bringing with it a new set of 
ex]ieits and tools. 

Image analysis and enliancement today is quite different tlmn 
whirl we were attempting in ihe orly 90"s. Now, we can do quite 
a bit of non-destructive processes using adjuslmenl layers, we t:an 
kx:alize enhancements with layer masks, we can utilize PiioLoshop's 
Channel Mixer to extract a fingeq>rinr from a background or to find 
deuiil thiit wasn’t visitde Lo llie eye, PlioUxsfiop plug-ins like 
Fovea Pro and Optipoc from Reindeer Graphics give us tlie cap^ibility 
to apply a Fast Fourier 'Iranstbrm to eliminate ]>atterned 
backgrounds, apply deconvolution to corrext for motion blur or 
pcx>r focus, and utilize frame averaging to elitiiinate noi.se from a 
scx|uence of images. Plug-ias like Human Software's PhotorixLens 
emible us to conrn leas disionion. 

With die ininxJuction of tlie History hog in Photoshop CS, the 
ability to have an audit trail stored in the file's metadata lias Ixxm a 
huge lx:nefit in foreasics. Tliere Ls no c:oun requirement dial one 
have an audit trail, but it is a key feature in validating dial gcxxl 
ux hnicjues were used and makes it passil>le to easily repeat most 
enliancemenLs. Tlie History liig can be invoked througli the 
General Piefenences pane in Piiotoshop CS. Tfie mciadaia retxirded 
tan be viewed by choosing 1 listory fitxn the File Info dialog lx)x or 
in tlie Metadata lab in Photoshops File Rrow'ser. 



Rgure 1. History Log 1 


The History Ijog is off by default. It am be activated in 
PlHJtas!u>p’s General Preferences pane, witfi options for saving in 
the file's metadata, as a separate test fde, or Ixxli. Tlie History Uig 
can axxird sessions only, a concise record, or detailed listings of tlxf 
tcKils used and paramelera set. 
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If ilic History Uyg is recorded as file metadata, it can l:>e viewed 
in Flic Inlb from tlie File menu. 

An ol:)jective in image analysis is often to extract .some irreigc 
data so that it cm Ixe seen wiili ilie Ixjsl |X)ssible detail. Processes 
for exiracting tliLs information my Ixr as simple as incTaesing cxminist 
gloixilly or to local aretis of the image, increasing the sl-uirpness, 
controlling the color channels io linild conlrasi Ix^iwccn the print 
and the liac'kgroiind, removing a patterned Ixickgrouiid, etc. 

11 1 C introduaion of Adju.stinent Liyers in Photoshop a few 
versions ago enabled many adjiisniients to he made non- 
de^tmctively. Prior to this, making a Levels Adjikslinenl or a CLirves 
Adjusiineni would frctjuenlly result in the lass of some image data. 
Widi Hie [irobleni watli this is that if additional image prcxiessing is 
desired, or if modifications to the onginal adjustments aie needed, 
it is itK) late. Adjustment layers resolved this. In addition, Adjusiment 
kiyers also retain die adjustment settings, m even if the HLstor)' Log 
is nor active, or if one is using an older version of Phoioslioj), die 
audit trail exists. 

As diey say on die knife ranmercud, "but wiiit, there’s mone.'* 
And there is. Masks can be used with Adjasuiienl Uiyers \o isolate die 
adjnsiment to kxali/ed aixras of die iimge. Tlds provides substantially 
morL“ power to dlls feature, allowing different areas of the inijige to 
lie treated sep;iiately, wMe ni^iinraining a visual mask to illuslraie 
precisely what areas of die image were affectexi by an adjastnient. 



Figure 3. Adjustment Layers 


Tlie Lop image Ls uncoiTected, the Ixittom image h^LS been given 
a Levels Adjustment Layer widi a Liyer Mask, so that the bat:kground 
could Ix' lightened, while kt'cping die foreground from becoming 
too bright. 

One of the most jxiwerftd tcxils useci for image enhancenienl 
tasks Ls the (^lixmnel Mixer. Tliis ttH>l allows one to combine die 
ckinnels of a color space to lx.* mixed in difterent peix:entages to 
affect tiic tonal contrast between various a>lcns. In forensics, this can 
extract a fmgeiprint from a busy background, isolate an 
endorsement signature fiom die bank or store imprinting, or even 
recover **invisible” writing from .stolen chcxrks tliat have been 
bleached and rewiitten. 


please tNDORSt HERE 



Figure 4. Color Isolation 
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fn this im^tge, the signLimrt: ts overwritten by ilie endorsement. 
Using the Cl tunnel Mixer the color chimneb can Ix" adjustcxl 
separately to eliiiunate the ailor in the endorsement, and isolate the 
color in the signature, as shown in llie lx mom image. 

Video analysis lias several unique features unto iLsclf. Analog 
video Ls an interlactxl signal - two fields make up a single frame. 
Htie odd field contaias every oUxt horizontal line of the image, 
and the even field t'ontiiins the ranaining lines. Combining the two 
fields nmkes one fnime. In security systems, several camera views 
are often recORicd t>nlo tlie same tape using a multiplexer, which 
allows the recording to .sequence from camem to camera in a 
nunilxT of difterenl meihcKls. Some systems wOl even record 
diffeient cameras on c‘ach field of a single frame! Deinterlacing Ls 
a reatlily availalile tool, an can lx done dimc'ily in Photoshop and 
most video appliaitions. 


Figure 5. Deinterlace 

Tlic iiiwgc on itie left Ls an example of two cameni.s each Ixing 
recorded onto separate fields of liie same vidtxi frame. Choosing 
PhtHushop's Deintc^rbee filter enables one to separate tlie two fields, 
wliicii are sc^fxiraied on the right of this image. 

Se(iarating cxidi caiixTj view into separate movie files is called de¬ 
multiplexing, Of deplexing. Multiidcx systems use hardware to do this 
task, Ixjt it axnpresses tlx files, which can min tlie value of tlx images. 
Several Wiixbws systems oft'er ihe ability to de-multiplex virtually 
autom^tfically witliin their software*. On lire Mac; this <an lie <ione 
manually liy exporting a movie file to a still image .scx|uent.e arxl 
manually sorting die files - neitlier an elegant nor an expediait meditd. 

One aspea of video dial Ls advantageous Ls that 29,97 frames 
of video are rettmled per second. Hie advantage of diis is that 
infonnatkin from several images can be combined to improve die 
image data. Low light imaging prcxluces a very low signal to noise 
ratio. The image noise am make an otherwise sliaq) image virumlly 
usclcjis. Tlirougli frame averaging - taking the average value of each 
pixel in a set of images -= die mmr CAn be greatly reduced, thereby, 
providing information that liad Ixen impossible lo see. Reindeer 
Grapliit^J makes a ni(T Pht>tosiK>p plug-in for fnime averaging. A 
ke>^ to getting die Ix^ value from frame averaging is to liave eacli 


image precisely aligned. Unfortunately, iJiere are not any good tocjk 
for image alignment availal:jle on die Mac: platform at this time. 
Oimbining multiple itmges as separate kiyers m Piiotosliop and 
u,sing die Difference mtxle Ls helpful, Nit limited, especially if tlicre 
Ls rotation in tlie image, or if suNptxel movements are netessaty. 



Figure 6. Frame Average 


The image on tlie left is a video Irame wiili texj mudt noise to lx 
alilc to ruid die Ikense plate. 7be iiKige on the right is a Fnime Avmgp 
of five \ideo fmmes using tlx Rc-indeer Graplik>i Optipix plug-in. 

Photography for Documentation 

Hie other main use of digital imaging in forensics application 
is doatinenting a crime scene, traffic accident or [>ic*ce oj‘evidence. 
In this instance, an ^malysi Isn't cx>mp:iring one image to anodier, 
but attempting to use photography to illustrate to a ck^tective, 
attorney, judge and/or jury wNit they siiw. Photography has bet?n 
used for tliis purpexse sincx^ at letisf 1859< 

The weaknesses of die airly digiial aimems were a Lick of 
rc:solurion, high prices and ftxal length liminiions. It wasn't until the 
mid to late 1990’s that digital cimenis were exceeding 3 megapixels 
and imwing to an affordable price range. For this raison, evidence 
photography for dexumentation condnuc-d tcj lx: film-based, even 
for agencies irsing image processing for image analysis. In imny 
agencies, film was scanned and m^itle av:iilahle to others for 
viewing on a network. Prints were made widi dye .sublimation 
printers or mini-bb equipment \^ith digital ca[labilities. 

Today, tJiousands of agencies are using digital cameras to 
document crime scenes, traffic aeddents and photograph evidence. 

The key issues involved in evidence [ihotogmjthy are to create 
images tlul represent the subjett tnatter, maintain a chain-of- 
ai.stody, and tliat images can lx sliared with those who need diem 
(detectives, investigators, attorneys, courts), lkcau.se cacfi agency ts 
ayUHtoTuou,s ami lias different sfafiing and volume, tlie apprcxidies 
may vary - but die general cxjncepis are Nisiailly the siime. 

Generally accepted liest jitattice recoimiiendatioas in fonensit^; 
arc that access to digiLil images should be limited and duit image 
prcx.'cssing should only lx: done to aipies of the original. 

Images stored on a senver am restrict access tlirrxigfi permissions. 
Some systems billow one to set secuiity leveLs Co allow specific asexs 
to liave read and write permLssiom Nit iKX rewrite capability. This 
lielps guarantee tlial original inKigcs ainnol lie changetL 
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Asfict maniigeineru appliGitions are not always a part of a 
forensics workflow. A priniary reason for this is tfiat images tend to 
l)eiong to specific so a simple IiieraRltical filing system works 
well. If an agency eitlier also has public teLitions photographs or 
wants to seardi their images by critena such as crime ty[ie or 
iTeporting distria, an asset mimager may be iLsed. Photoshop's File 
Browser may l)c adeejuate to meet some needs, and when 
stjmetliing mure sulnstantial is needed, an as^sei manager like 
Exteasis Poitfc>lio may lx: itsecl. A few companies have created 
Wind{)ws-based asset iiianagement applications direcied specifically 
toward die foreasics market - some offering irruige aullientioalitai 
and/or encryjXion as part of their package. Tliese, however tend to 
l">e expensive solutions iliat dt>n't rc^iUy offer needed foiaires. 



Rgure 7. RIe Browser 

'Ibis is Photoshop's FiIeBn)wscT - on file left am tabs for 
navigiiiion, a preview image, memdtta and adding and seaabing by 
keyword, tlie right side shows thiimi>nail.s of any given fuldcT. All 
pane sizjes are adjustable, 

[| Isn’t unctHiiiiKin for crime scene phutograplis to need some 
Ixisic image adjusttnents to correct for intx)rrec1 exp<xsiires and cx)lor 
shifts from fluorescent or tungsten light.. Most of fills is etisily done 
in Photoshop with simple adjastment layerx. lxoli2ed udjtistiiients 
am lx; accxxmplished witli layer masks. As mentioned in the image 
analysis section, die advantages of non-destructive ctliling that 
adjustment liiyers bring are sal)siii[itial in a forensics workflow. 

Tlie PhotoFixLens Plug-in from Human Sfjftware allows one to 
mnea tite Ixirrel distortion of wide-angle lenses. Tlie ti.se of wide- 
angle leases is common, and often necessary in a forensics 
environment. Tlie problcan widi iliis, however, is tiiat wide-angle 
lensc-s are sul^jecl to Imrrei distortion. Fortunjitely, tliis am ix; 
corrected, so that straight walls drin’i appear to have curved surfaces. 



In the top image the garage ckxir u[ijx-*ari warped l>eaiuse of 
Ixirnel distortion from iLsing a wide-angle lens. Using PhcXoFixLens 
from Human Software, this c^m lx* corretled, as sliown in die 
Ixmom image. 

Multiple photografjfts are Ik'ciLietidy taken to show spc-cific 
aspects of a piece of evidetKc. For instance, fxxliiy fluids will 
fluoresce under UV liglit, hut this Itgluing makes il diflicult to discern 
the oliject - only the fluorescence is visible. Another example is 
phexugraphing a liullct irajetlury in the dark, using a laser - die 
irajedoiy sliows, but the baclcground gfK^s black. To resolve this 
issue, phcxognipbs are taken ol the mb\ca. with normal lighting, and 
again under the .specialized lighting iec|uiivci in the specific iastance. 
Tie two images can tlien lye combined as sc'parate layers in 
idiotoshop using the Lighten mcxle, shitii displays die lightest values 
fiTxn each layer 
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Summary 



Figure 9. TYejectory 


This article attempted to sliow ,s()tne of tfie uses and tools used 
imaging by the forensics community. Image processing tecliniques 
and digital photf>graphy have amtribiited a lot to the toollx>x in this 
field. Alrhougli tliere isn’t yet a “CSr button on the keyixiard, there 
are many capabilities that were bnposs]l>le just a few years ago. At 
ilic siime time, there Ls a great opportunity for develo|^ers to create 
more tools, and to make iliose we have more efficient. Hopehilly 
this oveiview will spark an interest in tiie Macintosh developer 
t:ommtmiry to build more tools in forensics applications. 

And, now ilie next time you st*e a Crime Scene Investigator 
with their digiud c’umera, you'll liave a pretty gcxxl itlea of what will 
lx." happening with the images chat they* take. 

Vill 


Tlie top left phtKc^iph is of a Ih^ing room m daylight widi 
flash* Tlie plioio lx**neaih it .shows a bullet trajectory, made by using 
a laser pointer witli no itxmii Uluminaiion. The image on the right 
combines these two images, and shows the well-lit room witli liic 
trajectory by using the Lighten Mode in Photoshop’s Layers* 
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SOFTWARE MARKETING • by Dave Wooldridge 


Broadcast Your 


News with RSS 

Why E-mail Newsletters are 
Losing Their Effectiveness 

What’s Wrong 
With E-Mail? 

As a business owner who 
unclerstiincls die value of cx)minuiikating 
with our tiisiomers, IVc employed tlie 
use of a double upt-in em;ul new'slettef 
on our web site so diat intefested users 
ran elect lo receive iree aniKJtiucenienis 
and exclusive offers from us in ihe form 
of a monthly e-mail For years, this has 
Ix-'en an effetlive way lo [>romale 
prcxluLis and ofTers lo new‘ and existing 
customeis, ITiey voluntarily recfuesied i,o 
iweive the information and Ini mure 
than happy iv deliver it. The ratio of 
lx)unced e-mails was always very srnal! 
eomptired to the high pt'rceniage of 
opened e-mails. We also enjoyed a fairly 
high dick-dirougli rate from the 
hyix^rlinks in our e-newsletters. Bin tn 
the last year or two, IVe noticed dial die 
percenuige of lx)unced and unopened e- 
m;iils has drastically risen* Once one of 
our most powerful online marketing 
t(X)!s, the e-mail newsletter Is quickly 
losing its clTccdveness. 


So w'lial liapjxrned? Why are opt-in e-newsleiters 
liaving trouble re^iching their sTjfxscril>ers? A suspicious eye 
points ro spam as tlie primary culprit. Widi spam 
t'onstiluting more than 40% of all e-mail sent world-wide, e- 
matl inlx^xes everywhere are feeling the strain of die 
countless s|xim messages dial arrive daily. To combat the 
never-ending inviision, Internet users are installing software 
spam filters, which offer autoimted solutions for deteding 
and deleting spam. 

While spam fiilers do an amaxing job at ridding your 
inbox of unwanted, unsolicited messiiges, they are often 
over-zealous in their task, accidentally deleting impoitant e- 
malLs that you aciually do want to neiid. Intelligent spam 
fillers allow users to customize a "white list" of acceptalile 
scndeis, hut unff>rtunately, instnicTing your e-newsletter 
subscTiliers to add your e-mail address to their “while lists" 
may not rest>lve dlls issue. For many consumers, just 
iasuilling die spam filter was difficult enougti* Asking diem to 
also “configure" the spam filter will undoubtedly go Ixyond 
the comfort level of many newbie computer users. Even if 
your siilmTil:)ers are tech-sawy enough to properiy o|)limize 
dieir spam filters, they tray not rememlxr to do so. Over die 
course of time, an individual may sign up for dozens of e- 
mail newsleUers* Let’s say tiiey iastalled a brand new spam 
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W ith the overwhelming onslaught of spam, the effective marketing 
power of e-nuiil newsletters is rapidly declining. For years, many 
companies have successfully promoted their products and 
services tlirough legitimate opl-in e-newsletters, but the mainstream adoption 
of aggressive spam filters are making it increasingly difficult to reach 
customers via e-mail. The solution is RSS. 


filler yL^sicnckiy* Tlicy rememlier to ^‘whire list"' their friends 
and family, hut not ilic many e-mail newsletters theyVe 
volunteered to receive. Ttxlay, you send oiii your latest 
monlhly e-newsletter, which is quickly eaten by tlieir new 
spam filter, Lirilx,‘knownst lo the reedpienC 

Another factor tliat is qiackly eroding the effetiiveness of 
e-mail newsletters Ls the dominating fear that most corLsuniers 
now have in ,SLil>mitung their e-mail address tlirotigli web site 
fonirs. Even if you jxxst your cornptmy's privacy policy 
online, reassuring visitors that their e-mail addresses will not 
lx sliared or sold to anyone, their fe^tr of possibly receiving 
more s|xim often outweiglis any amount of trust they Ivive in 
your web site. Many a3nipafiies have seen a steady drop in 
iJie numixr of e-mail newsletter sign-ups each month. 

As a result, RSS and other news feed technologies (.such 
as Atom) are quickly Incoming an important alternative for 
communicating with customers. The problem witli e-mail Is 
lliat once a spammer gels a hold of your e-mail address, 
they can continue to fill your inUix with unwanted 
messages, leaving spammers with all of the control. The 
Ixauty of RSS is thai it gives the control back to Internet 
users, allowing them to subscrilx and 'fetch” only the news 
they want without relinquishing any personal information 
(such as e-mail addresses). 

An Alternative 
Communication Channel 

So you've heard atx>ul RSS and vaguely understand that 
its an XMh-lxised tbimat for broadcTisting and syndicating 
news and wel>logs. You may have even been curious 
enough to download and lest drive one of liie many Mac- 
based news readers available such as NetNewsWire 
Clittf3://rant'hero.c'om/netnewswire/), Radio Uscrland 


f Imp:// radi< >, userla nclcom/), or NewsEii e 

(!itt[3://www.newsriierss.com/). Or maylx you tminrain 
your own personal weblog through a tlml-party site or 
software applict^ition, which automatie'slly generates an RSS 
or Atom feed of your blog. Bin so far, youVe only perceived 
RSS as an "early ack^iXer” tcxhrK^logy and have noi figured 
oui how' if could Ixnefit your company's quest to reaich tlie 
mainstream online audience. 

a I just desciilxd your experience widi RSS, then 2005 
is the year you should seriously i^onsider RSS avS a viable 
etjmmunitration channel for your business. Take a quick 
kx)k at the home pages of your favorite wef> sites and you 11 
find that a large majority of tfiem now- display little blue or 
orange RSS/XMl. buttc^ns that are hyperiinked to their 
respective news feeds, 2(X)4 .saw a rapid adoption of RSS by 
thoLisands of companies, musiemns, writers, politicians, etc, 
as a powerful new way to reach people safely and quickly, 
Willi an RSS feed, you <^n p<xsr anyt hing to .sulisc'riliers that 
you would nonnally include in your e-mail newsletter such 
as pres.s releases, special offers, handy tips, ItyfKTiinks, 
piciutes, and moiTe, There are even a growing number of 
sites that post special RSS feexis witli embedded audio files - 
affectionately lafxlecl by miiny as ''jxxlcasiing” since tlie 
dovvnkrjdecl feeds can lx synced witli iTunes and iPods. 

No longer Lstilaied to ‘"early adopter” news reader 
software, RSS is now supported by tiie |X3j>uliir Firefox web 
[browser and tximing soon to Safari (witli tlie liiglily 
anticipated release of Mac OS X Tiger). By the time you read 
tliis, RSS support may liave Ikxmi added to oilier major web 
browsers fLS well. 

Millions of Firelbx useis are already enjoying RSS due to 
its easy-to-use integration witJi the wel) browser. Suhscribing 
to a new.s feed in Inrefox is as easy iis adding tlic RSS URL 
as a new "Live Bcxikmark". Firefox’s live Bcxikniarks are 









dusplayed as folders in the Bo<3kmarks sidelxir [)ane. Sim]>ly 
expand a Live Ikxjkmui-k folder to see a complete list of 
hixxitleasted news entries Uxm that RSS feed (see Figure 1). 



Figure L 

No longer seen as an “early atloj>lcr” teciinology, K8S 
has already found mainstream jxipuiaiity and support in 
tlie Firefox web browser (alxjve) and the foniicoming 
Safari RSS browser, 

So now yoifrc reatly to take advantage of RSS, Init the 
idea of having to lairn XML or a new technology is tiiusing 
much liesitation. Your work schedule is insanely l>y.sy, so just 
tile thought of adtiing RSS to your {jverflowing “to do"^ list is 
causing mild stomach paias. Not to worry. Ihere's a cjuick 
and ciLsy way to cieate your own HSS news Feeti for free and 
withexit any knowledge of RSS or XMI.. 

Look, Ma - No Hands! 

A weblog is a colleclion of fxjstings, .so it;s very similar to 
the fainctionality of RSS news feeds, except that weblogs have their 
own we!> page interface for displaying blt>g entries. Tliis is why 
syndiatted feeds were a natiinil companion fcjr weblogs and were 
adopted quite early on by savvy bloggers. Sites like Blogger 
(http://ww\v.b!oggercoiiiO offer a free weblog service lor anyone 
wlio wishes to start their own weblog. Nt>i only will tliey hast 
your weblog for frt'e, bui they uLso pnjvide all the web-based tools 
you need to [X)st new entries. 

Wliy should you care alx>ut a weblog when you’re trying to 
create an liSS 1^1? fiecause Blogger (a.s well as oilier similar 
services) automaiicilly gencraie.s a news feed of your weblog, 
act:cssil>lc from a dcxlic'ated ptiblic URL. Don't think of weblogs 
as only useful for sharing person^il online journals. They am also 
serve as an aisy way to maintain a virtual pre.ss looni! If you 
already pcxsi your pmss relaises and announcements on your web 
site, then you am kill two birds with one stone by (Tailing a 
weblog for all of your news postings. Instead of cTeating a special 
page on your site for displaying news, simply link from your web 
site to ytmr news-orientetl weblog. 

Beyond being free, Blogger.com is a solid, dependable clioico 
since it is owned by sairch engine giant, Ctxjgle. BIoggLT.com also 


maintains a heavily linked network of wcbIog?>, ensuring additional 
exposure within tlie l>logging coniniumty. Online markeleis are 
starting to realise tliat since weblogs typically contain lois of links 
and text, they tend to rank much higher in the seaith engine ratings 
than nomial business sites diat get weighed down by the heavy use 
of non-searchable elements aich as Flash and images. Tliis means 
lliat there's a strong p(xs.sibiliiy that your press releases and 
announcements will rank liigher in search engines when poised on 
your weblog ilian if only posted on your business web site. 

After signing up for your free BloggcT account, you have the 
option lo either pick i>nc of their many pre-made web page 
templates or you am customize the web page style sheet of your 
weblc^ to miiTDr tile look and feel of ycHir own web site. If you 
don't know HTML, then llic prennade templates are a great 
solution, but for a professional business, its in your best interest U> 
customize the template so that the integration of your w'ebiog widi 
your own site appairs to lx* as seamless as possible. For an 
example of tliis, check out die developer site RB Garage 
(htip://www.[iigarage.com/) and then click on the ''News Feed” 
link in die menu. The link lakes you to RB Garage's News page, 
which stays taie lo ilie site's jrage design while lieing hasted by 
BloggcT.cuni Visitors c’an eidier read RB Giirage News online via 
tile weblog or they am opt to nxxdve the same infonnation by 
subscTibing to RB Garage's RSS.O(ML news feed URL. 

Most ljlt>ggers invite teaders to post comments alxiul dieir 
daily lilog entries in the hopes of initiating ,some inierc^sting dialog 
among differing opinions. If you’re utilizing your weblog as an 
online press rrKvm, you'll firobably want to prevent users from 
[x»,siing comitxnLs alxHit your pres.s relaises fespetaally negative 
aimments diat might deniil your m;trkeling olifcctives). ITie 
iiueractive comments feature am fx easily disablect in your 
Blogger.a>m account .sellings. 

A Smart Feed Is The Best Feed 

Tie news feed IfRL that Blogger.a>m pnividas is in tlie Atom 
foniiat. Some news readers support Aitjm, but at the moment, RSS 
appears to be more widely supfxjrtcxl. In order to erLsure the mm 
(*oiiipaiihiliiy and exfx)sure with tlie widest array of new^ reader 
software, browsers, and syndiaiied portal sites, you want your news 
teed to support the ('ommon flavors of Ixiili RSS and Atom. 

This am lx* easily accxmiplished by utilizing the innovative 
.servicers of FerdBurner (hrtp://www.feedburner.a>rn/). As of this 
wmiing, their services are still fre-e, but they may eventually 
charge a nominal fee for dieir use. With Feed Burner, you supply 
them vviili your Atom-based feed LiRL from Blogger.com, which 
they convert into what tliey call a Smart Feud. The converted 
.SmartFeed Ls a different URL llian the one provided by 
Bloggeccom. You'll notice that the SmartFeed IJIff is hosted by 
FeedBumer. Powered by FeedBiirner’s unique technology, your 
SjmirtJ'eed is capable of dynamically supplying your news in 
either Atom format, RSS format, or a w'el>based foniiat using an 
XML style sheet (XSLT), depending on the compatibility of die 
software tliat's attempting to read it. 

But what alx>iit statistics? With most rmiiling list software, 
the number of current subscrilxrs Ls always available. More 
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sophistiaited prtj^ramji ain even track die number of bounced ^ 
opened and clicked e-inaib in a given e-newsletter campaign. 
So the obvious question Is: if suixscril-)ers are fetching the news 
from your feetl instead of receiving an e-mail hx^m you^ how do 
you measure die cfTeaiveness of RSS versus e-newsletters? 
Fortunately, FeedOiirner also provides a nice array of statistics 
on your news feed. Simply log into your FeedBnrner account U> 
review the circulation of uni<|iic subscriliers to your teed (based 
on tl* addresses). It even gives you a breakdown of what 
software is lieing used to read your news feed The statistics 
also include the number of hiLs/re(|nests for your feed and the 
numiTer of click alirougti.s to measure die effectiveness of links in 
your news feed postings. 

Moving forward, only ptiblicize fhe SinanFeed URL that's 
mainminetl by FeedBurner You’D notice that on die SpiderWorks 
News page in Figure 1 and die RB Garage News page that was 
previously mentioned, the hniartFeed is the only RSS/XML link 
provided, guaranteeing that everyone who suhscTilx-*s to tliat 
URL should lx: able to successfully read your news feed, 
regardless of die software diey are using. Forcing all .suh.scril>L‘rs 
to use only your SmartPeed URL also allows you to maintatn and 
monitor accurate usage statistics tlirougli FeedBurner, 

It’s All About Options 

While tliis article otiviously promotes the lx;nefits of RSS, this 
does not mean that you should abandon your e-mail new'sletlen 
Some people may still prefer to rec“eive e-mail. In an effort to rciidi 
as many cusUJiiicrs ius fiossible, you should piovide multiple 
options. Next to the e-newsletter sign-up form on your web site, 
include a link to ycx^ir ItSS news feed as an alternative seleclion (see 
Figure 2). To taic:h the c^c of diose who are specificaUy kx)ldng 
for diat URL, use die standard Wue and orange RSS/XML biinons 
dial are popping up everyivhere online. 


Free eNewsletter 

Receive e-mall announcements about the latest 
releases and exclusive olTers from SpiderWorks. 

E-mail I. 

Name j 

Subscribe [ 


Free News Feed 


RSS 


wizm 


You can also mcaive the same SpiderWorks 
announcements from our free News Feed. Add 
the URL below to your favorite news reader: 


httpr/ZTeeds ieedlHjrnerxofn/splclerworks 


Figure Z 


'lb accommocLite the preferences of all users, your web site 
should offer more tliaii one mediod for distributing news. 

By maintaining an e-mail newsletter, a weh-based press 
room (through your weblog), and an RSS/Au>m/XML 
SmartFeed (generated from your weblog), you are giving the 
power of choice back to Internet users while simultaneously 
increasing the exposure for your products and services. A 
win/win situation for everyone! 

The Icing On The Cake 

While some people do forward notable e-newsletters 
to a friend or family iiiemhei; the biggest advantage that 
RSS has over e-mail is that XML-hasetl news feeds can i)c 
syndicated. This means that any well site that wishes to 
repurpose your news for tlieir audience can use a 
scripting language like FLIP or Perl to parse and display 
your news items on their web site. Ft>r example, 
RBGarage.corn's RSS feed provides the latest press 
releases and announcements from the KHALfiasic 
developer community. 'Fhere are dozens of REALbasic- 
related web .site.s that eurrenUy syndicate die RB Garage 
News Feed. Those sites are hungry for free content and 
the products spodighted in the RH Garage News Feed 
receive additional exposure. Post it in one place and it 
automaLieally gets displayed on dozens of web sites. 
Publicists work hard to distribute pres.s relea.ses via e- 
mail, eager for any willing web sites to lie Ip spread the 
word. With RSS news feeds, the broadcasting is 
automatic to all sites dial have syndicated that Feetl. 

RSS is a welcome solution for both online marketers 
and Internet users who arc icK^king for a safe and 
effective way to send and receive news outside of the 
spam-infested world of e-mail. 

'l\\ \ 
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PATCH PANEL • by John C. Welch 




An Introduction to 


Kerberos and Single SIGNO^ 


How TO GET ALL YOUR WORK DONE WITH 
ONLY ONE PASSWORD 


One Login To 
Rule Them All 


Authentication, 
Not Authorization 


Fortunntely, not only is there an 
outstanding SSO arcbilecture oul ihere^ in 
the form of MIT’s Kerberos, 
(hilp://web;mjLecJu/kerberas/www/) but 
that mechanism is integrated into two 
network architectures lliat Mac users on a 
corponite LAN are going to use a lot: 
Apple's Open Directory and Microsoft's 
Active Directory. In this article, %vc'll take a 
look at the basics of Kerhertjs, and bow 
Apple uses it to make your networked life 
a little simpler. Please note that while we ll 
talk about basic KcrixTOS principles, this 
isn’t a tletailed analysis of Kerberos, so if 
you’re looking for a howto on complex 
KerlxTOs inipleineniaLions, this article i.sn’t 
it. Also note that weTe using a very simple 
siinulated Kerberos setup for clarity. They 
can be as complex as you want them to Lx. 
Pinally, since Apple bases iLs Kerberos 
implementation around Kedxras version 5, 
thals what we’re assuming you have. If 
yoifre using Kertieros version 4, some 
things are going to work differently. 


Since Afijple’s SSO ancliiteclurc Ls I rased art>und Kerben>s, we 
need to lx very clear on the one misconception dial will trip up 
sy^idiiiins new to Kedxjros moie tJxin anything: Kerixrcjs Ls an 
authentication mechanism, not an authorizaiiun mechanism. 
Kerixros’ entire puqX3se is to provide a siife, seaire, rt^sonahiy 
convenieni way to .saiy that the person logging into the network is 
wiio tliey say tliey are. li authenticates useni* Kerlxras does not say 
whiit you are allowed to u,se, Tliat's autlioriziuion and while 
auiliorization mechanisms c’an use Kedxros, the actual decision of 
what you can use once aiithorized is not a part of Kerberos. It can 
lx bird to wrap your liead around lliis at litsi, since the two 
ctmc’epls go haixl in bind, hut tlie distinction is inijxjnant. 

One way to think of this is via the example of gaining 
access to a secure network r(X)m. There are two parts, 
authentication and authorization. First, you liave to csial^lLsh 
your identity to the security system. This is what things like 
biometrics, mag-stripe cards, prox c*ards, etc., are for. You use 
tJiese to establish your identity, or authenticate yourself. Once 
tliaf’s done, that authentication is used by the authorization 
mechanism to see if youYe allowed access. If you are, the door 
unlocks, and into die sei'ver rcKim you go, aka: 

1, “Let me in^ 

2, “Who are you" 

3, Till Bob" 

4, “Prove it” 
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O ne of the single biggest problems that any sysadmin (or user 
for that matter) has is authentication management. We have 
lists of passwords that get used for everything. The login 
password. The email password. The file server password. The SSH 
password. Dealing with this is beyond painful, especially when you are 
managing hundreds, or even thousands of machines. As a result, one 
of the holy grails of network systems everywhere is the Single Signon, 
(SSO). SSO means you log into your Mac, and that’s it. You’re done 
with passwords. You don’t have to enter anything again, because the 
SSO mechanism handles your authentication for you. 


5. “Here's my proof, now let me in" 

6. “IIoM on Bob, let me make sure you can go in.** 

7. “Okay, you're authorized to get into llie server room, I'll 
unlock the door” 

Step 5 is the authentioiion, step 7 is die audtt>riz;iiioo. If 
Bol) wasn't allowed access to ihai rtioin, dien step 7 would read 
as “Yep, you're Bob. But you can't get in, you aren't authorised, 
sorry about that" 

Kertieros is the way that Apple has chosen for that alb 
iniponani step 5. Now ihai we know what Kerberos, (or “Kerb" 
for short) is used for, let*s take a look at Kerberos as a thing. 

Kerberos, Three Heads, No Waiting 

Kei1)eros is, accoaiing to MU': 

“Kerberos is a network authentication protocol It is 
designed to provide strong authentication for client/server 
applications l)y using secret-key ciyptography/' 

Wliilc tliat's a tedinic'ally acriinite destTipiion, it's not terribly 
helpful. A much more useful definiiion comes from AlP548's 
(htip://www'.afp548.com/) scries of articles on Kerheais : 

“Kcrlx:a)S does one thing, and only one thing. Lucky for us it 
happens to do it very well. Kerberos is a metliod of authentication 
and only authenticution. Tlial means it only validates username 
pa.ssword combtxs. After that it's up lo the s<frvicc using the 
LLsemame and password to do the rest of die work. Keri:ieras 
doesn't authorize a valid user to use a service, and it doesn't 
provide any .services itself. It only authenticates. 

Alriglit, Kerberos authenticates, big deal. Tlicre are a lot of 
authentication methods oui there. APOP, Apple's SASL Password 


Server, PAM and a host of others ail do this already. WhaL 
Kerl’teros brings lo the party Ls that it allows the authentication 
of a user widiout ever having to have dial user's pa.ssword go 
across the network. Kvery oilier popular service either just 
tmnsmits the ptessword to tlie server in plain text, or lias a 
convoluted method lor encrypting the password and then 
sending it across the network.” 

'Ihat line about your password never going at'rtxss tfie 
network is critical It means ihere’s no way for anyone to sniff 
your [lassword on the network, because it never goes on to the 
network. If it's noi there, it's rather hard to steal it. When I 
vvorketi for MIT IS, diey couldn’t use firewalls, since so mueh of 
the eoinpuling MIT does not only has to remain ojien, but is too 
ex]>erimental to work well wiih rtrewalis, so outside of a very 
small number of sites, drey don't use them. They ii-se Kerl)LTOs, 
anti it wt)rk.s very well (It hatl better, since if yr>u kick a tree at 
MIT, twenty hackers fall out, and they're all good.) 

Tliis lack of a password means however, that Kedieros 
never works the way you think if does at first, Tlic way incjst 
non-Keri>crized, (Note: when a service uses Kerberos for 
authentication, it's said to lx: “Kerlieiized”. Mer all, why have 
a cool technology if you can't create new^ words lor iL^) 
autlicntication schemes work is something like this: 

1. “I want to access <Tesource>“ 

2. “Whoaxeyou'.^" 

3. “Bob” 

4. “Prove it" 

&. “Here's my <mcrediblyeoiivolutedencryptecl> password” 

6. “Okay, you're Bob” 
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Wliile this method works, if your [xisswcjrd gtx.-s out over a 
network, esjxx.iiiUy Lite pulilic* internet, eventually, someone's going 
to gnib it. Moore's law says it will eventual I ly happen, 

Kerbercis does things diftea^ntly, and as a asuk, your password 
never leaves your miithine. So now, let's follow' our buddy lk>b 
through a Kerl:)eras login. 

First, Bob sits down at itis Mac running a ciim^ni version of 
Pantlier, Mac OSX ]0,3. (Yes, you can use KerixTos witli 10.2.x, but 
it's kludgy, so if you decide to use Keib, upgrade to lOJ, ytju’ll lx* 
much liappier in the long nin.) He enters hb iiserlD C'acimin’', since 
that's what he is) arul his password (doesn't mailer). Once this 
happens, Kerlxrcxs starts its authentication jive. I'lrst, Ked:) takes lliat 
user ici and niatclies it to the Mac’s Kerfi realm. A lealni, m 
Kertispeak is analogous to a DNS domain, and in fact, kx>ks like an 
(ill ciijxs venvion of a domain. So, if MacTech was using Kerb 
intenially, tlieir realm would pn^lxibly look like: MACTECI I.COM. 
Realms are pietty simple, they're just die Irasic orgjinizational unit for 
Kerlxros, and ate how you keep track of what lesciunes are part of 
wliat gn)up. Ytxi am have multiple retiJms working tcjgetlier, eillier 
cross-linked, in what's called a cross-realm ttusi, (i.e. 
MACTECH .(^OM and Xl^LAIN.COM agree lo Lnisi each other to 
autlienticate users on the c:>lliex's reahn) or hierarclially, (i.e. ytxi 
have XPUIN COM, and MACTFCH.XPIAIN.COM as a subrealm of 
XFIAIN .COM.) In our case, Bob's user id is joined up w^ith his realm 
lo produce his Kerberos Ffinciple, (aka Kerixrtis user id), and looks 
rather like a funky email address: admin®RIAIM.COM. 

Ketberos Likes tiiis principle and .sends it as plain text iicioss 
the* nc^twork to the Keiberos Dotiiain Controller, ()r KlX’i SiJice tliis 
is just a user id, and is not sensitive irdbrimiion, there's no need to 
encrypt it. Tlie KDC Ls Lite center of any given Kerlxnjs realm, (Yes, 
it probably should lx called a I®C, or Kerfxnxs Railm Controller, 
Imt it’s not.), anti amtains the diitabase witli all the user informiition 
lor its realm. Along with Boll's principle, his Mat also .sends die 
current time as it knows it, and die principle For the KDC. aka tlie 
Ticket Granting Server (TGS, piiri of die KDCJ. (We’ll explain tickets 
in just a tick, so hang tight) llie 1GS principle is always die same, 
kriMgt/reiilm ruime@rcalm name, so for liob, hb TGS prindple b 
krixgtdlKAlJV1.COM®RIAIAfGOM. 

Tlie TGS gets this information, and looks up liob's principle. It 
finds admin, and admin's [laNsword. However, Ikib didn’t send tills 
piissword mth his principle, so die KiX: dexsn't really know tlia! it's 
die persiin it knows as admin®KJiALM.COM. All it kntiws is that 
someone claiming lo lx* admin b trying to authenticate to 
ItKAlM.COM, So, Keilxros dixs something that’s pretty slick. It 
lakes the password that it has for admin®RFAUvl.COM, anti uses it 
to cneiile an encrypted session key. 'llie only thing tliat ran derry^pt 
this b udni!n@REALM.COM's password Within this session key Ls a 
bit of information railed tile Tickel Granting Ticket, or TGT. 

Tlie TGT Ls wlxil the authoriziition system will use lo ensure 
that a properly audicriticaied adniin@KEALM.COM is adowed to 
acxms various resouices. llie TGT iLsclf is encrypted widi a key 
known only to the TGS. 'Ihb Ls tine, since it's the only thing that 
cares alxxit tlie contents of the TG'T Tliis encrypted TGT Ls dien 
encrypted again within the session key that only 
admin@REAIM.COM’s key can decrypt. So Ixtsically, you netxl an 
unencrypted entrypted TGT to do imything. It's a !itde liaid to 
explain, but it's like diisi You ask for a TGT. You get back a. litde 


bkick lx)x widi a thunibiirint stunner. The TGT is a USB key diiit 
has all the info on you. Bui to use it, you liave lo unl(x:k the litde 
black Ixix that txiniains diLs LfSB key. What’s on die key is not 
important to you. What’s important is tliat you have the right 
thumbprint. If you do, grcxjvy, you cun now use the TG'f. li not, 
then you c^an’t. 

So, die TGS sends diLs little hhek box Ixick to Bob's Mac. Tlie 
Keri> system on tfie Mac takes die passwxirtl that Bob typed in, (or 
however he got it. You can use Kerixros widi biomeirics, RSA smart 
cards, USB keys, whatev^er you feel comfortable wide “Pa-ssword” is 
not always a human - typed siring), and decrypts the session key. 
If the passwords are the same, 13oli now has a valid TGT, and a nice 
krfitgt ticket, which will allow him to get odier tickets and access to 
other services. N(Xe lliai at no time did admin's password travel 
across the network. It never will either From now on, the TGT, 
which on only lie decrypted by die KDCyTGS does all the work. 
If Bob were to open up the Kerlieros appiiaition in 
/System/Uliniry/CoreServices right now, he’d see die following: 

0 ' Kerbtros 

Active User __ 

Usef: admtn 
Realm: XSERVEOl 

Time Remaming. Less than 10 hours 


Renew T ic Deurov Tickets hange Password 

Ticket Time Rem^irting 

ivSl'admini@XSEitVE01.» ^ Miirii % 

krbtgl/XSERVEOl ► ilOXSERVEOl.k 9:S8 


Mi' I ier Active Get Tickets . ^ 

Kerberos setup after initial authentication 

S<j w'hilc diifi Ls ccxit, it’s kind of a so what. I mean, gnraL Ikib's 
authentiaited as admin, has his initial tickets. Wlial good does tliis 
do him? Well, if that was all Kerii did, not mucli, U)gging into a M^ic 
b notiling new; logging into a Mac with a centmliml audicntication 
systetii isn’t new. Tlie axd part of Kerberas aimes from the Single 
Signon abilities it gives you. So, now that Ikih's got all his tickets, 
lie needs to mount an Apple File Frotocof (AFP) slure lo get st^ne 
files for a prop^i he's w'orking on. He fineb the server in die Finder, 
or the connect to server dmiog, and gets a li.st of shares, picks the 
(me lie wants, and mounts it. 

Wail, how did lk)b do tliat when he didn’t liave to enter a 
piisswQixl or k>g iti at all? Arc* they allowing guest access? No, diey're 
taking advantage of Mac OS X Server’s Kerberi/ed AFP services. 
After Bol) mourns that AFP share, d you kxiked at dx- Kerlxrtxs 
application, you’d see somediing new: an AFP ticket. 
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Kerberos showing AFP server tickets 

So now what liappened here? Well, wlien Baf) accessed tiie 
Kert^erized MB seiver, Keiteros on lus Mac took his TGT, and 
added a request to accx!ss that AFT^ server and sent it off to the KDC, 
Remeriiber, passwords never travel across the network with 
Keii> 2 ros, and the KlXj controls all for the donrain, so ratlier than 
the AFP server hantiJing the amlienfication part of this request, the 
K15C dtxrs. Tlie KDC knows tliat it sent out the same TGT it's now 
getting to admin@REAlM-COM, so wlicn it gets Uie TGT and the 
AFI^ access request front Bob, it decTy):>ts the 'i'G'r and can validate 
it kxrally. Again, no password on the wire, but ifs alJ secure. Along 
with tlie access request and the TGT, Bob’s madiine packs an 
authenticator, which is a timesraiiip tlm's been enciypted widi 13t>h’s 
session key. The authenticator Ls there to ensure iliat every access 
request is unique. Without tliis, an aiiacker t:ould just kxik for TGTs, 
copy them, and tlien use them to fake access. 

This brings up another point that can tmise problem for 
sysadmins new to KctIktcxs: Time Synchronization. Since the 
authenticator is a timestamp, <\\\ the machines in a Kerf} realm have 
to have their clocks synclironized (usually to witliin five minutes of 
each trther). Oiltenvise, tiiere’s no way the KDC can use the 
timestamp, since, if diere was no syncfm)nization rajuirement, you 
could use any timastamp you want, or just capture an eariier session 
key and use that forever. The other reason for time synchronization 
LS tliat Kerl> tickeis have a lime limit, usually ten hours. If you look 
at tlie earlier scieen shots of die Kerfieras application, you can see 
a “Time Remaining" column. 'IliLs is the time left on die validity of 
die lickels. Ttiere's a very grxx) reason for this. It ensures that even 
if you don’t log out, you have to peritxlkally reaudicnticaLc, (One 
way to handle the time synchronization issue is die make die Klx: 
machine the time server for your network, and have everything 
synch off of it. Ids not die only way liy a long shot, time 
.synclironization is a well - solved problem.) 

Face it, we aren’t perfea about logging out. Especially if you 
have jobs dial arc going lo lake a long dme to run, you don't want 
to log out. Wed, if you liad valid access for.. .well, forever then an 
attacker could more easily subvert your nice Kerb system. So, tickets 


expire. Now, you am renew dekeLs any number of ways. In 
Panther, any time you Ipg in, whctlier new, via Past User Switching, 
or even fmm the saeen saver, dial’s Kerbeiized, so you're 
reaudienrk:ating yourself. If you haven't reauthenticated in a period 
of time decided by die KDC, you’ll lie asked to leaudiailiottc by 
Kerberos wliile you'm logged in, as shown in die picture below. 


to K«rberos 

Picjue typ« yaur Kerberos password 


Name: adinm 

Realm XSERVEOl.ifc 3 

Pa$£WOrd^ I 

5.0.1 Copvrlohi JQOJ M(T { Show OpUofis ^ ^ Cancel ^ OK 

Kerberos Authenication while hgged in 

Now, getting back to Bob’s desire to get onto his APP setver, 
die KDC gels diLs request, the TGT and the authentiotor The TGT 
and die authenticator work lo show it’s still admin@REALM,COM, 
and dial die TG'l’ is still valid. 'Ihe request itself is die seivice 
principle for the AFP server in KEALM.COM dial Bob wants access 
to. (Within Kertxmis, everydiing uses a principle to identify iLself. 
Users, services, and KDCs, diey all have principles.) For AIT, diis 
looks like: afpseiver/servei-^re;!!!!!. Ihe ICDC gets this information, 
and uses the se.s.sion key to validate the imt It fakes the TGT, 
wliich contaias the user principle, and uses dial to craite a service 
ticket. Ihe service ticket has two parts, the service principle, and die 
session key. This session key Ls cieated by the KDC and used to 
validate die user again. 1k)di of diese items are now encrypted again 
by tlie KIX with a lyassword known only by the KDC and die 
service, in this case, the APi^ server Rob w^ants access to, 1he KDC 
also includes a (’opy of this session key that Ls encrypted with the 
session key that was first created when Bob logged in, Tliis way, 
Bob has a copy of the session key, wliich he’ll neal, even though 
he on’t read the ckita in the session key. '1 hat’s fine, since he 
dexsn't need to, 

Bob’s Mac gets all diLs, ((session key ik service principle) and 
a ,se<^:ond session key) and sends the first session key and service 
principle (die ones encTypicd by the KDC witli the [zassword that 
only the KDC and die service know), and sends diis, uiidianged to 
die server, along with an authenticator, which is a timestamp like 
the one it sent lo the KDC earker when Bob ?aarted ihis whole 
piocess of gctdng on to die AP]^ server. It encrypLs this with die 
second session key tliat it got fiom die KDC. Tlie .^ervic’e gets all 
thus, and does a i:ouple things. FirM, it decrypts die session key & 
service prineiple dial Ls encrypted wilh die password that cinly it and 
the KLX know about. If tliis works, then die service gets access to 
that session key, which it dien uses to decrypt the second session 
key that has encTypted the authendcator that Bob’s Mac sent ttxi. If 
both of diese operations work, then tiicie Ls an extremely higli 
proliability tliar diis is in faa, a legitimate request from 
admin^lUiALMCOM, and diar diis admin is indeed who it claims it 
Ls. If all diis checks out, die AFP server is happy dial dii.s Ls a 
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legitimate user. It tun then ,sce wliat adiiiin@REALM.COM, is 
authorized to use as far as sliares go. If admin@liHAlJV1,COM, is 
autliorized to use shares on that server, tlien Bob gets liis list t)r 
sliares, mounts the oneCs) he wants and voila! He's working on files 
on his AFP serveT. 

Wliile tills seems incredibly complicated, and is kind of is, 
what Bob sees is: 

L Pick the server he has access to 

2, Pick the share he wants to moirnl 

3. Do work 

Witfi Kcriieros' SSO implementation, all the complexity Is 
handled lielow the user level, as it should lie, so that user t^n 
do what they need to do, and it just works. 

SSO Does Not Suck 

'iTiar's the real lieauiy of Kertienos and SSO, As long as the 
sen^lce you're trying to use Is Keriierized, you don't have to 
constantly log in iind log out. With Mac OS X Server, almost every 
service is Kerberized, including tilings like ssh, FU\ IMAP, POP, 
AFP, and SMTP. (No, Windows services like SMB aren't 
Kerlx-Tizcd in Panther, but hopefuJly in Tiger they will be.) So ycni 
can get email, transfer files, nm applications on remole .servers, 
even ssh into a remote server, and never have to enter a password 
tmee you get past the initial login. I low cool Is that? Very, 
especially if you're a s)csadmin with users that can only handle 
one password. When it comes time to chajige a pas,sword. you 
only have to do il one time, and you change it for eveiy 
Kerixrrized service. Atiother cool feature Ls that since Microsoil's 
Active Directory uses Kerberos, you on integrate your Macs intt> 
an Active Diretiory environment, and still gel all the lienefits that 
SSO has Ltj olTer. A final nice l>enefit is that with Kerii, you can 
get tickets as any user you have login infonnation for. So, you can 
log in as one level of user, i>ut only gel access to certain items as 
another level of user, by logging into Keri^eros as that second 
user. It sounds funny, but it’s a liandy trick if you nml it. 

Now, SSO and Kerberos are n<a magic. Wliile the services 
may Ix.^ KertxTized, that’s only half tlie picture. Tlie clients you use 
to get to the services also have to be Kerberized. So the AR* clieni 
in the Finder is Keri^erized, as is ssh on Panther. However, if you 
want a fully Kerficrized FTI^ clieni, Fetcli is the major name you'll 
see, For email, you fuive to use a Kerberized email application, 
like Mail, Hudoni, or others. (No, Micrasr>f[ Entourage is mK 
Kerberized, even though Exchange, and Outlatk are, a point of 
no small annoyance to those of us w^anting to move to an SSO 
world as much as possible, and no, the Keychain doesn't count.) 

As well, while Kerberos keeps passwords from crossing 
Lite wire, il doesn't niagically make them secure. Using a 
password of “password" is still going to leave you wide open 
to attack. I'here's no way around it; even wUh KerlKTOs, 
password cjuality is critical. 

Finally, even tliougli Apple has made it really e^isy to get 
started with Keiberas on your neiwoik, there's a ton mure Lo it titan 
you1l find in Apple's documentation. I ratify, really recommend 
liiat you spend a lot of time on the sites in this article, (also listed 


at the end of the article) and with tlie O’Reilly (xx)k on Kerberos. 
It's easy to make a silly mistake with Keib liiat will cause you many 
problems down the road, so a little planning on the front end will 
save you a ton of agony on the back end. You aren't going to get 
full integration with other Kedi realms or Active Directory^ by 
winging it. If you're going lo be ninning an Open Diieaory Realm, 
I cannot recommend strongly enough that you spend tlie money 
on the Apple server tx>urscs, tauglit l>y Schoun Regan, Mike 
Bartcisli, Jcxrl Rennidi, and btliers. Tliey will s;we you more pain 
tliaii you tluxighl could exist in the world of being a sysadmin, and 
will save you the cxxirse cost in time spent not undoing mistakes 
within a year of taking tlicm, lieck, probably within montlis. 

Conclusion 

I hope this (very) simplistic look at Kerberos and Single 
Signon helps you out, whatever your netwxirk setup is. 'While liie 
setup can be a bear, and wrapping your head around Kerlieros 
can lie daunting, onc:e you gel it, you’ll wonder why more things 
aren't Kerberized, beciuse it's just so siUy to not be Kerberized. 
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Web siLe.s wilJi pertinent articles: 

• hU[i://www.alp548.cQm/ (Not ju.st for Kerberos, if you're a 
Mac administrator, you need this site.) 

• http://www.4am-media,com/niodules,php?name=Articles (three 
excellent articles on Keri>eros liy Mike Ikirtosh, who knows 
more than almost everyone about Kerlx^ros and Mac OS X 
impiementatinns) 

• http://web.mit.edu/is/kerberos/www/ {Tlie home page for 
Keriieros. Marsliall, Alexa, Scon, and the rest of the MIT Kerii 
team do amazing work, and witlioiit them, and a lot of other 
people at MIT (and Apple uk>!), we wouldn’t have this really 
ctKil leclinology on our OS of choice.) 

• Starts at http://www,afp548-com/artides/panther/kerbefOSl.htm1, 
and was invaluable as a .source for this article. If you run Mac 
networks, you need to read this site, it's one of the best ones 
out there. Joel, josh, and all the others do a fantastic jolx Yes, 
Vm gushing, they earned it. 
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great selection and low prices; you also get personalized service 
from genuine Apple Professionals who take customer service 
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iBoom from Digital 
Lifestyle Outfitters 


One of the most remarkable things about MacWorld Expo in San 
Francisco was the amazing collection of iPod-related accessories. As 
Michael Harvey mentioned in his January MacTech review of the show, 
the iPod was everywhere. There were FM transmitters, skins, 
headphones, bags and cases, everything you would expect for the 
iPod. 


But one product really caught my attention. 
The IBoom, from Digital Lifestyle Outfitters, is a 
boom box specifically designed around the iPod 
and iPod mini. Around a foot across, eight inches 
tall and six 
inches deep, the 
iBoom features a 
pair of speakers, 
surrounding an 
FM tuner and a 
slot specifically 
designed to hold 
a later- 

generation iPod. 

The iPod slides 
into the slot, then 
seats into the 
connector at the bottom of the slot, just as if it 
were sliding into a cradle. For iPod minis, the 
iBoom ships with an adapter that fits snugly 
inside the iPod slot. 


So what's so cool about this device? Lots! 
Power on your iPod, hit the power switch on the 
iBoom, and the sound comes directly out of the 
iBoom speakers with no extra connections. The 

sound is very 
reasonable for 
such a small unit. 
And the iBoom will 
charge your iPod 
as well. Very cool! 
Last but not least, 
the iBoom features 
an FM tuner, for 
those times when 
you long for the 
nostalgia of 
commercial-laden 
music. 

The iBoom, Digital Lifestyle Outfitters, 
http://www.dlodirect.com/iboom.html, $149.99. 
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AXIO SWIFT HARDPACK 


For years. I rode my motorcycle carrying my 
PowetSook in a shoulder bag. After about 30 
minutes of riding, the shoulder bag would cut in to 
my neck and start causing me pain. Not only were 
these shoulder bags uncomfortable, they moved 
around during riding, and offered no protection for 
my PowerBook. I dreamed of a computer bag that 
offered comfort for long 
rides, and protection for 
my PowerBook. The Axio 
Swift Hardpack is my 
dream come true. 

The Swift Hardpack 
is gorgeous on the 
outside. The carbon fiber 
shell looks sporty, and 
provides the protection 
you need for your 
PowerBook. The shoulder 
straps are curved to 
afford you range of 
motion and comfort while 
riding. A chest strap 
ensures the shoulder straps are out of the way. 

I was surprised how easy it was for me to put 
my bag on over my riding jacket My jacket is a little 
bulky, and I'm no small dude. After the bag was on, 
I put my helmet and gloves on and went riding. The 
Swift Hardpack was great I didn't even know I had 
it on. It never moved in the twisties, and didn’t flop 
around at high speed (100+ mph for the curious). 

After taking the long way to the office. I walked 
in with all my gear on, thinking I was the coolest guy 
there since I was riding a motorcycle, and had this 
brand new bag. After 1 took off my helmet, my co¬ 
workers said my hard shell backpack made me look 
like a turtle. Go figure. Well, at least my ride was 


comfortable, my PowerBook was protected, and I 
thought I looked cool. 

Taking the bag off was even easier than 
putting it on because each shoulder has a quick 
release buckle. Unbuckle the strap, and the bag 
just comes off. I unpacked the computer, took all 
my riding gear off, 
and got to work. 

My 17" 
PowerBook had no 
trouble fitting in the 
bag. I had plenty of 
room for my cables 
and accessories. 
There are also many 
little compartments 
for anytoing you need 
going mobile. There is 
even a keychain 
holder for people like 
me who hate putting 
keys in their pocket. 

There are loop ring connectors all over the 
backpack for you add any accessories you need to. 
You can even use the loop connectors to tie down 
the bag on your bike. Additionally, Axio includes a 
very nice weatherproof cover for those days we 
have to ride in toe rain. 

The Axio Swift Hardpack is simply toe besi 
computer bag I've ever used. It combines 
function and beauty, as any Mac user expects. 
This bag is a must for any motorcycle riding, 
PowerBook user. $160. 

by Brian Shin 
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Fully compatible witb Xsan errlfrpiSrtiij 

Support for ali SCSI and 
devices and Hbraries 

Built in VXA-aor 
Cllentsystem 
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One Sysiem, One Function, One Solid Performer 
5 Minutes From Unpack to First Backup—Literally 


Whether you're responsible for a few deskside systems or the latest 
Hollywood blockbuster, the new bruAPP provides ultra-reliable, easy 
to use disk-to-dlsk (D2D) or dlsk-tCKilsk^to-tape (D2D2T) network- 
based backup. 

bruAPP complements TOLIS Group's BRU Server for Mac OS X and 
BRU LE for Mac OS X data backup and restore software products, 
bruAPP pricing starts at $2^999, 

To learn more about the bruAPP and BRU products for Mac OS X, 
please call 480-505-0488 ext 252 or visit TOLIS Group on the web 
at www.tolisgroup.com. 
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